OSX 10.4.7 August Security Update

This update includes a new version of SSH (OpenSSH 4.2) which uses a new mechanism for doing Kerberos authentication. The new version fixes a weakness in the old version. Unfortunately, the two mechanisms don't inter-operate and there is no backwards compatibilty provided. This means that the update breaks using Kerberos/SSH to most all FNAL machines and MSUHEP machines. Note that telnet will still work to FNAL (not allowed to MSUHEP machines).

Before applying this update, make a copy of the ssh program /usr/bin/ssh so that you'll have the old version for connecting to old servers. (If you've already done the update, contact me and we can fix things.)


The ssh binary before update:

mac:~ little$ ls -l /usr/bin/ssh
-rwxr-xr-x   1 root  wheel  231248 May 27  2005 /usr/bin/ssh

mac:~ little$ ssh -v
OpenSSH_3.8.1p1, OpenSSL 0.9.7i 14 Oct 2005

Want to copy this binary to another location, perform the update, copy the new binary to another location and then create a softlink to the old binary named /usr/bin/ssh.

mac:~ little$ sudo cp /usr/bin/ssh /usr/bin/ssh-3.8.1p1
mac:~ little$ ls -l /usr/bin/ssh*
-rwxr-xr-x   1 root  wheel  231248 May 27  2005 /usr/bin/ssh
-rwxr-xr-x   1 root  wheel  231248 Aug 15 02:16 /usr/bin/ssh-3.8.1p1
-rwxr-xr-x   1 root  wheel   75968 May 27  2005 /usr/bin/ssh-add
-rwxr-xr-x   1 root  wheel   63016 May 27  2005 /usr/bin/ssh-agent
-rwxr-xr-x   1 root  wheel   84948 May 27  2005 /usr/bin/ssh-keygen
-rwxr-xr-x   1 root  wheel  129660 May 27  2005 /usr/bin/ssh-keyscan

Now do software update.

Then do:

mac:~ little$ sudo cp /usr/bin/ssh /usr/bin/ssh-4.2

mac:~ little$ sudo rm /usr/bin/ssh
mac:~ little$ sudo ln -s /usr/bin/ssh-3.8.1p1 /usr/bin/ssh

mac:~ little$ ssh -v
OpenSSH_3.8.1p1, OpenSSL 0.9.7i 14 Oct 2005

-- TomRockwell - 25 May 2006
