openssh unix dev - Jul 2002 - [Bug 362] New: Loss of change password functionality

http://bugzilla.mindrot.org/show_bug.cgi?id=362

           Summary: Loss of change password functionality
           Product: Portable OpenSSH
           Version: -current
          Platform: UltraSparc
        OS/Version: Solaris
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ssh
        AssignedTo: openssh-unix-dev at mindrot.org
        ReportedBy: dirk.bockmann at customs.gov.au


Because of the reported root compromise vunerability we have upgraded  our 
Solaris servers to the latest current version of ssh.   It all works fine 
thanks, except the PAM interface with Solaris.  The impact is that users can no 
longer be notified that their password needs to be changed.  Instead they are 
locked out.  I raised this issue with Sun who are responsible for the PAM which 
appears to be the main offender.  
Their response is shown below:
Sent: Friday, 12 July 2002 17:13
To: dirk.bockmann at customs.gov.au
Subject: 10243779 - Openssh

Dirk,
Previous versions of OpenSSH worked correctly with the Solaris PAM
module up until privsep was added by OpenSSH to overcome a security
vunerability issue. The privsep architecture which has been designed is
not compatible with PAM, and is outside the scope of how PAM is normally
used. ie: It breaks the PAM standard.
An alternative is to upgrade to Solaris 9 which ships with SunSSH (a
product based on OpenSSH which does not have privsep and by default is
not vunerable to the security exploit which privsep resolves). Also, for
your reference if there is any feature in OpenSSH 3.3 or newer which
does not exist in SunSSH you can log a request for enhancement for the
new feature to be included in future releases.

Let me know if you require any further information/assistance.
 
Regards,

Nicholas

Any ideas on where we can progress from here please?  WE are far from being in 
a position to upgrade to Solaris 2.9  many of our machines are still on 2.5.1 
because that is what the applications require.   WOuld appreciate your advice.

Thanks,
       Dirk



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.