A colleague was having trouble running OpenSSH 3.3p on his server.
He, like many of us, has been clobbered by the mighty security penis
of Theo De Raadt into enabling "privsep".
But on some Linux 2.2 kernels, this is broken. Apparantly, OpenSSH
"portable"
relies on non-POSIX compliant mmap() features.
Making the mmap() call in monitor_mm.c look something like this:
{
char template[40], c = 0;
int fd;
sprintf(template,"/tmp/sshd-XXXXXX");
fd = mkstemp(template);
unlink(template);
lseek(fd,(size/4096*4096*2)-1,SEEK_SET);
write(fd,&c,1);
address = mmap(NULL,size,PROT_WRITE|PROT_READ,MAP_SHARED,fd,0);
memset(address,0,size);
close(fd);
}
fixes it on his server. If you use this, it is, like everything else in
life, at your own risk.
I don't follow the list so I have no idea if this has been reported, fixed,
or otherwise dealt with. If you're going to respond to yell at me, do it
off list.
--
Michael Bacarella | Netgraft Corporation
| 545 Eighth Ave #401
Systems Analysis | New York, NY 10018
Technical Support | 212 946-1038 | 917 670-6982
Managed Services | mbac at netgraft.com
On Tue, 25 Jun 2002, Michael Bacarella wrote:> A colleague was having trouble running OpenSSH 3.3p on his server. > > He, like many of us, has been clobbered by the mighty security penis > of Theo De Raadt into enabling "privsep". ><shrug> Theo does not have a gun to your head. Or last I checked he did not.> But on some Linux 2.2 kernels, this is broken. Apparantly, OpenSSH "portable" > relies on non-POSIX compliant mmap() features. >Known issue. mmap() w/out a working MAP_ANON is currently requires sshd to have compression off (won't start with Compression on). Post Monday I'll accept complete patches (Some form of OpenWall's Owl + Tim's /dev/zero) to improve it. I'm not at the point where I want to introduce too many mmap() ways before the end of the week due to the limited testing period we have. - Ben
On Tue, 25 Jun 2002, Michael Bacarella wrote:> But on some Linux 2.2 kernels, this is broken. Apparantly, OpenSSH "portable" > relies on non-POSIX compliant mmap() features. > > fixes it on his server. If you use this, it is, like everything else in > life, at your own risk. > > I don't follow the list so I have no idea if this has been reported, fixed, > or otherwise dealt with. If you're going to respond to yell at me, do it off list.This has been reported numerous times. http://bugzilla.mindrot.org/show_bug.cgi?id=285 Set "Compression" to "no" to hqve privsep. Dries -- Dries Schellekens email: gwyllion at ulyssis.org