[gentoo-dev] lsh (and liboop) on Gentoo

[gentoo-dev] lsh (and liboop) on Gentoo

[Mike Frysinger]

[-- Attachment #1: signed data --]
[-- Type: text/plain, Size: 774 bytes --]

with all this openssh crap thats been happening today, i was wondering if 
anyone made ebuilds for lsh (and thus liboop) for Gentoo ... i was looking at 
liboop and they use the autotools pretty poorly imho ...

they have optional support for adns, glib, tcltk, readline, and libwww but 
their configure.ac is setup to only detect support ... that is, you cant 
explicitly tell configure to not add support for those ...

i made a few patches so as to make those aspects optional, but i cant get the 
autotools to regenerate the Makefile.in and configure files correctly :x

liboop (pretty complete):
http://wh0rd.de/gentoo/my-ebuilds/dev-libs/liboop/
lsh (pretty good start but needs liboop first heh):
http://wh0rd.de/gentoo/my-ebuilds/net-misc/lsh/
-mike

[-- Attachment #2: signature --]
[-- Type: application/pgp-signature, Size: 827 bytes --]

Re: [gentoo-dev] lsh (and liboop) on Gentoo

[Zack Gilburd]

[-- Attachment #1: signed data --]
[-- Type: text/plain, Size: 399 bytes --]

On Tuesday 16 September 2003 06:32 pm, Mike Frysinger wrote:
> with all this openssh crap thats been happening today, i was wondering if
> anyone made ebuilds for lsh (and thus liboop) for Gentoo ... i was looking
> at liboop and they use the autotools pretty poorly imho ...

AFAIK, lsh is not secure, whatsoever.

-- 
Zack Gilburd
 http://tehunlose.com
  GnuPG Key ID: A79A45668240AB6C

[-- Attachment #2: signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] lsh (and liboop) on Gentoo

[Karsten Schulz]

Am Mittwoch, 17. September 2003 07:09 schrieb Zack Gilburd:

> AFAIK, lsh is not secure, whatsoever.

why? Do you have some information about exploits or exploitable bugs?

As far as I know, there are no serious problems known at the moment. The 
only disadvantage with lsh is, that there are not so much people who 
use it. But that will change, when Gentoo distribute lsh ;-)

Karsten

-- 
"Bequemlichkeit ist irrelevant!"
Seven of Nine, Raumschiff Voyager


--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] lsh (and liboop) on Gentoo

[Zack Gilburd]

[-- Attachment #1: signed data --]
[-- Type: text/plain, Size: 1005 bytes --]

On Wednesday 17 September 2003 05:01 am, Karsten Schulz wrote:
> Am Mittwoch, 17. September 2003 07:09 schrieb Zack Gilburd:
> > AFAIK, lsh is not secure, whatsoever.
>
> why? Do you have some information about exploits or exploitable bugs?
>
> As far as I know, there are no serious problems known at the moment. The
> only disadvantage with lsh is, that there are not so much people who
> use it. But that will change, when Gentoo distribute lsh ;-)
>
> Karsten

For a while, the README for lsh contained:

	This directory contains snapshots of lsh development. lsh is a free
	implementation of the ssh protocol.

	lsh is far from finished; don't expect these snapshots to compile or
	work, and even if they appear to work, beware that lsh currently does
	*NOT* provide any security at all.

Until yesterday when it was updated from 1998.  I was relying on the old 
README.

Nevermind, please proceed.
-- 
Zack Gilburd
 http://tehunlose.com
  GnuPG Key ID: A79A45668240AB6C

[-- Attachment #2: signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] lsh (and liboop) on Gentoo

[Alexander Gretencord]

On Wednesday 17 September 2003 03:32, Mike Frysinger wrote:
> with all this openssh crap thats been happening today, i was wondering if
> anyone made ebuilds for lsh (and thus liboop) for Gentoo ... i was looking
> at liboop and they use the autotools pretty poorly imho ...

Well there are ebuilds in bugzilla but carpaski set them to fixed without 
bothering to add them to the official portage tree as noone seemed to be 
interested in those ebuilds. Maybe you have better luck this time. Tell us 
about the bug report here so we can all post, so it gets in this time :)

> i made a few patches so as to make those aspects optional, but i cant get
> the autotools to regenerate the Makefile.in and configure files correctly

Well if you figure it out, send the patches to the maintainers, they probably 
just didn't add such things as nobody complained and they don't see a need 
for that. Was the same with a DESTDIR variable in chrony until I wanted to 
make an ebuild. Richard was quite pleased with the patch once he saw the need 
for that.

Also if you read the man pages or some other sources and see the "*this stuff 
is insecure*" notices, they are all from 98 or 99. Nothing like that for the 
newer releases (well the man pages still contain it but they were not updated 
since 99) although I of course don't have the expertise to check myself if 
lsh is secure. But you might find it interesting that some people from the 
de.alt.sysadmin.recovery newsgroup will probably review the lsh codebase to 
their best knowledge. Naturally they want to get rid of openssh now :)


Alex


--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] lsh (and liboop) on Gentoo

[Mike Frysinger]

[-- Attachment #1: signed data --]
[-- Type: text/plain, Size: 1346 bytes --]

On Wednesday 17 September 2003 13:05, Alexander Gretencord wrote:
> On Wednesday 17 September 2003 03:32, Mike Frysinger wrote:
> > with all this openssh crap thats been happening today, i was wondering if
> > anyone made ebuilds for lsh (and thus liboop) for Gentoo ... i was
> > looking at liboop and they use the autotools pretty poorly imho ...
>
> Well there are ebuilds in bugzilla but carpaski set them to fixed without
> bothering to add them to the official portage tree as noone seemed to be
> interested in those ebuilds. Maybe you have better luck this time. Tell us
> about the bug report here so we can all post, so it gets in this time :)

http://bugs.gentoo.org/show_bug.cgi?id=28971

> > i made a few patches so as to make those aspects optional, but i cant get
> > the autotools to regenerate the Makefile.in and configure files correctly
>
> Well if you figure it out, send the patches to the maintainers, they
> probably just didn't add such things as nobody complained and they don't
> see a need for that. Was the same with a DESTDIR variable in chrony until I
> wanted to make an ebuild. Richard was quite pleased with the patch once he
> saw the need for that.

yeah i usually do ... i just hate it when a package goes unmaintained upstream 
and we have to basically sit on the patches ;(

-mike

[-- Attachment #2: signature --]
[-- Type: application/pgp-signature, Size: 827 bytes --]

Re: [gentoo-dev] lsh (and liboop) on Gentoo

[Patrick Lauer]

On Wed, 2003-09-17 at 07:09, Zack Gilburd wrote:
> On Tuesday 16 September 2003 06:32 pm, Mike Frysinger wrote:
> > with all this openssh crap thats been happening today, i was wondering if
> > anyone made ebuilds for lsh (and thus liboop) for Gentoo ... i was looking
> > at liboop and they use the autotools pretty poorly imho ...
> 
> AFAIK, lsh is not secure, whatsoever.
You're right, lsh has the same type of error as ssh.
(possible root compromise)

http://lists.lysator.liu.se/pipermail/lsh-bugs/2003q3/000120.html

so at the moment securing a networked linux box is a bit of russian
roulette ...

I already posted a comment to bug  28971 (lsh ebuild) 




--
gentoo-dev@gentoo.org mailing list