[MacPorts] #16911: git-core requiring macports' ssh on leopard, openssh security concern

MacPorts noreply at macports.org
Sat Oct 18 19:00:45 PDT 2008 

#16911: git-core requiring macports' ssh on leopard, openssh security concern
---------------------------------+------------------------------------------
  Reporter:  bcbarnes at gmail.com  |       Owner:  macports-tickets at lists.macosforge.org
      Type:  defect              |      Status:  new                                  
  Priority:  Normal              |   Milestone:  Port Bugs                            
 Component:  ports               |     Version:  1.6.0                                
Resolution:                      |    Keywords:                                       
      Port:                      |  
---------------------------------+------------------------------------------

Comment(by bcbarnes at gmail.com):

 Replying to [comment:2 raimue@…]:
 > How should using ssh as a client lead to intrusion into your network?

 Well, if you google for openssh client vulnerabilities, there are several
 thousand links to sort through, but here is a recent example:
 http://www.ubuntu.com/usn/usn-612-2
 the famous RNG problem with debian and ubuntu openssh.  That's applicable
 here because if a similar problem existed for macports' ssh, well, the
 first thing I did after installing git-core was run ssh-keygen, which was
 run by the macports binary by default.

 There are other older examples of ssh client problems with X11, ssh-agent,
 and other issues.  And who knows what lies in the future?  The point is, a
 security-critical utility is being overrode by macports without warning,
 or need.  If macports disappeared one day, I would have degraded security,
 thinking that OS X patches of ssh would be helping me, when in fact they
 would not.  Think about the average user who doesn't know to check their
 path or the trac...

 > I remember a comment by Bryan Larsen that openssh is used from MacPorts
 because it is needed at compile time for git, that means it is bundled to
 a specific version. Therefore we need to declare a dependency to be able
 to do upgrades when needed.

 As noted in the previous reply of mine, I uninstalled git-core, changed my
 path, reinstalled it, and it worked fine.  So at least the binaries are
 not being referenced by names such as ssh instead of absolute paths.
 openssh is also listed as a runtime dependency instead of a library (or
 build?) dependency.  Maybe there's more to this, and if so, I hope Bryan
 can clear it up.  If the binaries need to be used during build, then
 perhaps they could be renamed as ssh-mp instead of the system name, ssh?
 Hey, maybe I'm wrong, but I've tried to prove myself wrong with that test
 and it still worked.

 > gcc is a different case, because the gcc provided by Apple is highly
 patched, e.g. to support building for multiple architectures (-arch
 options). The use of Apple's gcc is preferred. Also there is the
 gcc_select port to choose from multiple installed versions.

 Ok, but I would think that something so important as ssh could be treated
 as a special case as well.  Apple does carefully maintain the security of
 their OS.  However, based on investigations so far, there may be no need
 at all for macports to install openssh on OS X 10.5.  I understand that
 macports prefers to install a variety of dependencies to promote smooth
 functioning across possible installs, but it does use the compiler, and it
 could use the system ssh in Leopard (and probably Tiger too).  Why
 duplicate functionality when nobody has provided an example of it being
 needed?  I mean, is it needed for OS X 10.3?   :)

-- 
Ticket URL: <http://trac.macports.org/ticket/16911#comment:4>
MacPorts <http://www.macports.org/>
Ports system for Mac OS

More information about the macports-tickets mailing list