On Jun 13 13:13, Michelle Sullivan wrote:
Don Lewis wrote:
On 13 Jun, Michelle Sullivan wrote:
SSH would be the biggie that most security departments are scared of...
Well, ssh is available in ports, though I haven't checked to see that it
picks up the correct version of openssl.
Problem is it doesn't have 'overwrite base' anymore - and
openssh-portable66 which does have overwrite base is now marked
depreciated... which means one would have to be very careful about how
they use SSH in production as both server and client... Server is
easier as it has a different _enable identifier... but the client is not
distinguishable so unless one puts /usr/local/bin in their permanent
path as a priority over /usr/bin one will use the wrong version.
I put WITHOUT_OPENSSH=yes in /etc/src.conf. Then run make delete-old and
make delete-old-libs in /usr/src. This removes the base version which
means you don't have this issue any longer. I do the same thing with NTP
and Unbound as well.
Obviously this makes more sense if like me you do source based stuff
rather than using freebsd-update. I'm not sure if you can do similar
with binary based upgrades?
The other alternatives are as you say, put /usr/local/bin before
/usr/bin in the $PATH. Or add an alias for commands like ssh to point to
the ports version. These methods aren't quite as clean though.
--
Matt
_______________________________________________
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
