# time to upgrade your OpenSSH and change a setting

## bidz

emerge rsync;emerge openssh

this will install OpenSSH v3.3

then:

nano -w /etc/ssh/sshd_config

find the line saying "#UsePrivilegeSeparation no"

IMPORTANT!

uncomment this line, and change the "no" to "yes", so it reads like this:

UsePrivilegeSeparation yes

save the file, then: /etc/init.d/sshd stop -> /etc/init.d/sshd start - you can also just use "restart".

this was posted in the gentoo security mailinglists, but i guess alot of you arent subscribing there. read about it on slashdot also: http://slashdot.org/articles/02/06/24/1912215.shtml?tid=167

this is very important, unless you want to be rooted/hacked or something  :Smile:  and in about one 3-7 days, a new patched OpenSSH (3.3.1p1) will be released, addressing this exploit.

enabling the "UsePrivilegeSeparation" makes it impossible to utilize this bug. to be sure, you can also set "PermitRootLogin" to "no", and also ALWAYS ONLY use the SSH Protocol 2, simply uncomment "#Protocol 1, 2", and make it like this

Protocol 2

done.

Hope this made you a little bit more secure  :Wink: 

here's a link to the BUGTRAQ announcement: http://www.mindrot.org/pipermail/openssh-unix-announce/2002-June/000041.html

UPDATE:

OpenSSH 3.4 is now released, and fixes this exploit - *waiting for a ebuild*  :Wink: 

----------

## fghellar

(Marking as sticky)

----------

## Zu`

 *bidz wrote:*   

> 
> 
> UPDATE:
> 
> OpenSSH 3.4 is now released, and fixes this exploit - *waiting for a ebuild* 

 

That makes two of us.

And it's still not here. Strange?

----------

## bidz

maybe the dev's/ebuild managers/packagers are busy finishing a gnome 2 final ebuild  :Wink: 

although, a OpenSSH upgrade is by far *much* more important, so hurry up!   :Laughing: 

----------

## bidz

update:

OpenSSH 3.4p1 ebuild is now up! go grab it! worked fine.

----------

## Nitro

Disregard the original post, read the official announcement which covers installing OpenSSH 3.4p1 @ https://forums.gentoo.org/viewtopic.php?t=6225

----------

## eimail

cp /usr/sbin/sshd /tmp/sshd2

/tmp/sshd2 -p 8002

ssh -p 8002 snooter@snooter.de

now connect to this sshd2 an nothing could happen, you can restart your updated ssh, an if there errors you can change them.

i forgett this one time ;-((

----------

## mglauche

hmm, i normally use nohup /etc/init.d/sshd restart

but your left in the cold if the restart does not work  :Smile: 

----------

## WarMachine

somebody should put up an openSSH howto for gentoo, seeing the mass number of people that run it

yes, I know there is one on openssh's site, but it's geared towards bsd

----------

