Mac Admin Corner | Desktop Management: Mac OS X 10.4.10 Unnessesarily replaces sshd_config

My blog has moved!

You should be automatically redirected in 6 seconds. If not, visit
http://www.macadmincorner.com
and update your bookmarks.

Tuesday, July 10, 2007

Mac OS X 10.4.10 Unnessesarily replaces sshd_config

It looks like Apple did a very unpleasant modification in the 10.4.10 update. They outright replaced the /etc/sshd_config for a tiny bit of "tidying up" of the GSSAPI section.

Before 10.4.10:

# GSSAPI options
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange yes

# GSSAPI options
#GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes

After 10.4.10:

# GSSAPI options
#GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange yes

Now was it really necessary to replace the file? On our image, I modify that file to restrict who can use ssh and a couple other settings. Now I have to push that file back out to all my machines.

There was really no reason for this.

CORRECTION - After further inspection, it looks like the file is not actually replaced, but modified by a fixSSHcfg.pl script within the 10.4.10 package. It also looks like modifications to the sshd_config do not always go away. The first 2 machines I updated with 10.4.10 lost the mods that I made, but then I tried a couple more and they didn't lose the customizations that I did.

digg story

2 comments:

Anonymous said...: It doesn't actually replace the file. It may modify it, though even in mine, I can't see the difference (and I have modified mine for Kerberos and AllowUsers directives).; July 19, 2007 at 10:10 PM
Patrick Gallagher said...: Yea, I'm noticing that now on other machines (see correction above).; July 20, 2007 at 6:38 AM

Subscribe to: Post Comments (Atom)

Tuesday, July 10, 2007

Mac OS X 10.4.10 Unnessesarily replaces sshd_config

It looks like Apple did a very unpleasant modification in the 10.4.10 update. They outright replaced the /etc/sshd_config for a tiny bit of "tidying up" of the GSSAPI section.

Before 10.4.10:

# GSSAPI options
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange yes

# GSSAPI options
#GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes

After 10.4.10:

# GSSAPI options
#GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange yes

Now was it really necessary to replace the file? On our image, I modify that file to restrict who can use ssh and a couple other settings. Now I have to push that file back out to all my machines.

There was really no reason for this.

CORRECTION - After further inspection, it looks like the file is not actually replaced, but modified by a fixSSHcfg.pl script within the 10.4.10 package. It also looks like modifications to the sshd_config do not always go away. The first 2 machines I updated with 10.4.10 lost the mods that I made, but then I tried a couple more and they didn't lose the customizations that I did.

digg story

2 comments:

Anonymous said...: It doesn't actually replace the file. It may modify it, though even in mine, I can't see the difference (and I have modified mine for Kerberos and AllowUsers directives).; July 19, 2007 at 10:10 PM
Patrick Gallagher said...: Yea, I'm noticing that now on other machines (see correction above).; July 20, 2007 at 6:38 AM

Subscribe to: Post Comments (Atom)

Tuesday, July 10, 2007

Mac OS X 10.4.10 Unnessesarily replaces sshd_config

It looks like Apple did a very unpleasant modification in the 10.4.10 update. They outright replaced the /etc/sshd_config for a tiny bit of "tidying up" of the GSSAPI section.

Before 10.4.10:

# GSSAPI options
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange yes

# GSSAPI options
#GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes

After 10.4.10:

# GSSAPI options
#GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange yes

Now was it really necessary to replace the file? On our image, I modify that file to restrict who can use ssh and a couple other settings. Now I have to push that file back out to all my machines.

There was really no reason for this.

CORRECTION - After further inspection, it looks like the file is not actually replaced, but modified by a fixSSHcfg.pl script within the 10.4.10 package. It also looks like modifications to the sshd_config do not always go away. The first 2 machines I updated with 10.4.10 lost the mods that I made, but then I tried a couple more and they didn't lose the customizations that I did.

digg story

2 comments:

Anonymous said...: It doesn't actually replace the file. It may modify it, though even in mine, I can't see the difference (and I have modified mine for Kerberos and AllowUsers directives).; July 19, 2007 at 10:10 PM
Patrick Gallagher said...: Yea, I'm noticing that now on other machines (see correction above).; July 20, 2007 at 6:38 AM

Subscribe to: Post Comments (Atom)