In message <p05101011b832abe364e3@[165.227.249.20]>, Paul Hoffman writes:
>Greetings again. I'm running a stock 1.5.1 (not using -current). My 
>sshd reports itself as:
>
>sshd version OpenSSH_2.5.1 NetBSD_Secure_Shell-20010219
>
>So, here's a bunch of questions.
>
>How do I upgrade it to the latest version that has the security bug 
>fixes in it? The current version seems to be 3.0.2, so I don't 
>imagine that I can do a simple patch in /usr/src.
>
>If the answer is "use pkgsrc", how do I make sure that I use the 
>pkgsrc version instead of the distributed version? My packages build 
>into /usr/pkg. Would I change the /etc/rc.d/sshd directly? If so, 
>won't that change get wiped out when I upgrade NetBSD?
>
>Also, if I do change /etc/rc.d/sshd, I assume that I have to change 
>it in four places (because I want to use the pkgsrc ssh-keygen as 
>well). Is that correct?
>
I just grabbed the portable version of openssh, and built it to install 
in /usr/openssh.  I then changed "command" in /etc/rc.d/sshd to point 
to /usr/openssh/sbin/sshd.  I didn't worry about keygen, since all of 
my hosts already have keys.  I did copy /etc/ssh* to /usr/openssh/etc, 
but beware -- the config files are ssh_config and sshd_config, rather 
than the ssh.conf and sshd.conf that 1.5.2 uses.  And you can't just 
rename them; the options ar slightly changed.

For user purposes, I just prepended /usr/openssh/bin to my $PATH.

All this isn't ideal, but it let me isolate the new stuff until there's 
an official fix.  I'm hoping that that will happen while I still 
remember what I did...

		--Steve Bellovin, http://www.research.att.com/~smb
		Full text of "Firewalls" book now at http://www.wilyhacker.com