bugzilla-daemon at mindrot.org
2002-Jul-19 05:22 UTC
[Bug 362] New: Loss of change password functionality
http://bugzilla.mindrot.org/show_bug.cgi?id=362 Summary: Loss of change password functionality Product: Portable OpenSSH Version: -current Platform: UltraSparc OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: dirk.bockmann at customs.gov.au Because of the reported root compromise vunerability we have upgraded our Solaris servers to the latest current version of ssh. It all works fine thanks, except the PAM interface with Solaris. The impact is that users can no longer be notified that their password needs to be changed. Instead they are locked out. I raised this issue with Sun who are responsible for the PAM which appears to be the main offender. Their response is shown below: Sent: Friday, 12 July 2002 17:13 To: dirk.bockmann at customs.gov.au Subject: 10243779 - Openssh Dirk, Previous versions of OpenSSH worked correctly with the Solaris PAM module up until privsep was added by OpenSSH to overcome a security vunerability issue. The privsep architecture which has been designed is not compatible with PAM, and is outside the scope of how PAM is normally used. ie: It breaks the PAM standard. An alternative is to upgrade to Solaris 9 which ships with SunSSH (a product based on OpenSSH which does not have privsep and by default is not vunerable to the security exploit which privsep resolves). Also, for your reference if there is any feature in OpenSSH 3.3 or newer which does not exist in SunSSH you can log a request for enhancement for the new feature to be included in future releases. Let me know if you require any further information/assistance. Regards, Nicholas Any ideas on where we can progress from here please? WE are far from being in a position to upgrade to Solaris 2.9 many of our machines are still on 2.5.1 because that is what the applications require. WOuld appreciate your advice. Thanks, Dirk ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
Maybe Matching Threads
- [Bug 226] New: open ssh appears to stop password change prompts from Solaris
- [Bug 363] New: No logging of SSH activities under Solaris BSM
- [Bug 362] Loss of change password functionality
- [Bug 188] pam_chauthtok() is called too late
- [Bug 362] Loss of change password functionality