#16911: git-core requiring macports' ssh on leopard, openssh security concern ---------------------------------+------------------------------------------ Reporter: bcbarnes@gmail.com | Owner: macports-tickets@lists.macosforge.org Type: defect | Status: new Priority: Normal | Milestone: Port Bugs Component: ports | Version: 1.6.0 Resolution: | Keywords: Port: | ---------------------------------+------------------------------------------ Comment(by bcbarnes@gmail.com): Replying to [comment:2 raimue@…]:
How should using ssh as a client lead to intrusion into your network?
Well, if you google for openssh client vulnerabilities, there are several thousand links to sort through, but here is a recent example: http://www.ubuntu.com/usn/usn-612-2 the famous RNG problem with debian and ubuntu openssh. That's applicable here because if a similar problem existed for macports' ssh, well, the first thing I did after installing git-core was run ssh-keygen, which was run by the macports binary by default. There are other older examples of ssh client problems with X11, ssh-agent, and other issues. And who knows what lies in the future? The point is, a security-critical utility is being overrode by macports without warning, or need. If macports disappeared one day, I would have degraded security, thinking that OS X patches of ssh would be helping me, when in fact they would not. Think about the average user who doesn't know to check their path or the trac...
I remember a comment by Bryan Larsen that openssh is used from MacPorts because it is needed at compile time for git, that means it is bundled to a specific version. Therefore we need to declare a dependency to be able to do upgrades when needed.
As noted in the previous reply of mine, I uninstalled git-core, changed my path, reinstalled it, and it worked fine. So at least the binaries are not being referenced by names such as ssh instead of absolute paths. openssh is also listed as a runtime dependency instead of a library (or build?) dependency. Maybe there's more to this, and if so, I hope Bryan can clear it up. If the binaries need to be used during build, then perhaps they could be renamed as ssh-mp instead of the system name, ssh? Hey, maybe I'm wrong, but I've tried to prove myself wrong with that test and it still worked.
gcc is a different case, because the gcc provided by Apple is highly patched, e.g. to support building for multiple architectures (-arch options). The use of Apple's gcc is preferred. Also there is the gcc_select port to choose from multiple installed versions.
Ok, but I would think that something so important as ssh could be treated as a special case as well. Apple does carefully maintain the security of their OS. However, based on investigations so far, there may be no need at all for macports to install openssh on OS X 10.5. I understand that macports prefers to install a variety of dependencies to promote smooth functioning across possible installs, but it does use the compiler, and it could use the system ssh in Leopard (and probably Tiger too). Why duplicate functionality when nobody has provided an example of it being needed? I mean, is it needed for OS X 10.3? :) -- Ticket URL: <http://trac.macports.org/ticket/16911#comment:4> MacPorts <http://www.macports.org/> Ports system for Mac OS