http://bugzilla.mindrot.org/show_bug.cgi?id=1105
Summary: Privledge Separation
Product: Portable OpenSSH
Version: 4.2p1
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: sshd
AssignedTo: bitbucket at mindrot.org
ReportedBy: giffordj at linkline.com
I've been doing a lot of build of the portable openssh, with a modern
toolchain
(gcc 4.0.2, glibc 20050926 snapshot, and binutils 2.16.1). No matter on what
architecture I use I have been unable to utilize privledge separation. Here is
what happens.
Connect - Enter username - password - then it exits.
If I go into sshd_config - and set UsePrivilegeSeparation no, everything works
perfectly.
Any suggestions or recommendations. I few people believe the issue related to a
glibc bug in the chroot, which has been fixed in the glibc I'm using, but I
think the problem is in openssh.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
http://bugzilla.mindrot.org/show_bug.cgi?id=1105 ------- Comment #1 from dtucker at zip.com.au 2005-10-17 10:19 ------- What OS are you using? I'm guessing a Linux since you're using glibc but you don't specify. What options did you build and run OpenSSH with? Are you using keyboard-interactive authentication and if so does the problem occur without it? Could you please attach (as an attachment, not in the comment field) the debug output from the server? eg "/path/to/sshd -ddde -p 2022" then point your client at port 2022.>From what you've described, it does sound like the glibc thing. Does the testfor the glibc bug pass or crash? http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=111061843820265 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
http://bugzilla.mindrot.org/show_bug.cgi?id=1105 ------- Comment #2 from giffordj at linkline.com 2005-10-17 13:53 ------- Yes it's linux. Yes I saw that issue, and it doesn't affect my setup. I also checked http://sources.redhat.com/ml/libc-hacker/2005-02/msg00005.html Will be attaching the output you requested. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
http://bugzilla.mindrot.org/show_bug.cgi?id=1105 ------- Comment #3 from giffordj at linkline.com 2005-10-17 13:54 ------- Created an attachment (id=999) --> (http://bugzilla.mindrot.org/attachment.cgi?id=999&action=view) Requested debug output ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
http://bugzilla.mindrot.org/show_bug.cgi?id=1105
------- Comment #4 from dtucker at zip.com.au 2005-10-17 14:10 -------
Created an attachment (id=1000)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=1000&action=view)
Fix privsep + root login + delayed compression bug.
OK, looking at the debug output, I think that is fixed with the following
change (patch attached):
- djm at cvs.openbsd.org 2005/09/19 11:47:09
[sshd.c]
stop connection abort on rekey with delayed compression enabled when
post-auth privsep is disabled (e.g. when root is logged in); ok dtucker@
If so, this is already fixed in -HEAD and the 4.2 branch. You can also work
around it by setting "Compression yes" in sshd_config.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
http://bugzilla.mindrot.org/show_bug.cgi?id=1105 ------- Comment #5 from giffordj at linkline.com 2005-10-17 16:12 ------- Created an attachment (id=1001) --> (http://bugzilla.mindrot.org/attachment.cgi?id=1001&action=view) Updated debug output ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
http://bugzilla.mindrot.org/show_bug.cgi?id=1105 ------- Comment #6 from giffordj at linkline.com 2005-10-17 16:13 ------- Still having the same issue. Updated the debug info. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.