[MacPorts] #16911: git-core requiring macports' ssh on leopard, openssh security concern
MacPorts
noreply at macports.org
Sat Oct 18 19:00:45 PDT 2008
#16911: git-core requiring macports' ssh on leopard, openssh security concern
---------------------------------+------------------------------------------
Reporter: bcbarnes at gmail.com | Owner: macports-tickets at lists.macosforge.org
Type: defect | Status: new
Priority: Normal | Milestone: Port Bugs
Component: ports | Version: 1.6.0
Resolution: | Keywords:
Port: |
---------------------------------+------------------------------------------
Comment(by bcbarnes at gmail.com):
Replying to [comment:2 raimue@…]:
> How should using ssh as a client lead to intrusion into your network?
Well, if you google for openssh client vulnerabilities, there are several
thousand links to sort through, but here is a recent example:
http://www.ubuntu.com/usn/usn-612-2
the famous RNG problem with debian and ubuntu openssh. That's applicable
here because if a similar problem existed for macports' ssh, well, the
first thing I did after installing git-core was run ssh-keygen, which was
run by the macports binary by default.
There are other older examples of ssh client problems with X11, ssh-agent,
and other issues. And who knows what lies in the future? The point is, a
security-critical utility is being overrode by macports without warning,
or need. If macports disappeared one day, I would have degraded security,
thinking that OS X patches of ssh would be helping me, when in fact they
would not. Think about the average user who doesn't know to check their
path or the trac...
> I remember a comment by Bryan Larsen that openssh is used from MacPorts
because it is needed at compile time for git, that means it is bundled to
a specific version. Therefore we need to declare a dependency to be able
to do upgrades when needed.
As noted in the previous reply of mine, I uninstalled git-core, changed my
path, reinstalled it, and it worked fine. So at least the binaries are
not being referenced by names such as ssh instead of absolute paths.
openssh is also listed as a runtime dependency instead of a library (or
build?) dependency. Maybe there's more to this, and if so, I hope Bryan
can clear it up. If the binaries need to be used during build, then
perhaps they could be renamed as ssh-mp instead of the system name, ssh?
Hey, maybe I'm wrong, but I've tried to prove myself wrong with that test
and it still worked.
> gcc is a different case, because the gcc provided by Apple is highly
patched, e.g. to support building for multiple architectures (-arch
options). The use of Apple's gcc is preferred. Also there is the
gcc_select port to choose from multiple installed versions.
Ok, but I would think that something so important as ssh could be treated
as a special case as well. Apple does carefully maintain the security of
their OS. However, based on investigations so far, there may be no need
at all for macports to install openssh on OS X 10.5. I understand that
macports prefers to install a variety of dependencies to promote smooth
functioning across possible installs, but it does use the compiler, and it
could use the system ssh in Leopard (and probably Tiger too). Why
duplicate functionality when nobody has provided an example of it being
needed? I mean, is it needed for OS X 10.3? :)
--
Ticket URL: <http://trac.macports.org/ticket/16911#comment:4>
MacPorts <http://www.macports.org/>
Ports system for Mac OS
More information about the macports-tickets
mailing list