PrivilegeSeparation seems to be a valuable option, however at its current maturity level it is the cause of several problems. Just to name a few: - Incompatible with BSM auditing on Solaris - Incompatible with PAM password aging (for this reason??? the code to handle password expiration has been disabled without ANY notice) - Causes core dumps on HP-UX I think PrivilegeSeparation should be disabled by default, and not enabled by default as is the case right now. Even better is to make the PrivilegeSeparation support configurable at compile time, when you do not want it it will not be in the binary. As soon as the PrivilegeSeparation code it mature and does not cause all these problems, it can be enabled by default again. Another thing, when features such as PAM password aging are no longer supported in new releases (e.g. because the code has been commented out), there should be a clear warning of this. In my case, disabling the PAM password expiry code, resulted in users not being able to change their password and access the system anymore, some weeks after we upgraded from openssh-3.1p1 to openssh-3.4p1. Regards, Rene. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20021213/d86d796f/attachment.html
On Fri, Dec 13, 2002 at 12:45:20PM +0100, Rene Klootwijk wrote:> - Incompatible with BSM auditing on Solarisopenssh has no BSM support.> - Incompatible with PAM password aging (for this reason??? the code to > handle password expiration has been disabled without ANY notice)it's not only related to PrivilegeSeparation> - Causes core dumps on HP-UXdo you have patches?
On Fri, 13 Dec 2002, Rene Klootwijk wrote:> PrivilegeSeparation seems to be a valuable option, however at its > current maturity level it is the cause of several problems. Just to name > a few: > - Incompatible with BSM auditing on SolarisNever was offically supported. Required 3rd party patch.> - Incompatible with PAM password aging (for this reason??? the code to > handle password expiration has been disabled without ANY notice)Never was complete. It was a partial implemention while a complete one was being written.> - Causes core dumps on HP-UX >Provide us information. That bug report does us zero good...> I think PrivilegeSeparation should be disabled by default, and not > enabled by default as is the case right now. Even better is to make the > PrivilegeSeparation support configurable at compile time, when you do > not want it it will not be in the binary. As soon as the > PrivilegeSeparation code it mature and does not cause all these > problems, it can be enabled by default again. >PrivSep is more mature then any of the above things you are discussing was broken. Personally.. I won't advocate turning it off.> Another thing, when features such as PAM password aging are no longer > supported in new releases (e.g. because the code has been commented > out), there should be a clear warning of this. In my case, disabling the > PAM password expiry code, resulted in users not being able to change > their password and access the system anymore, some weeks after we > upgraded from openssh-3.1p1 to openssh-3.4p1. >Never fully worked to start with. It was limited to a few PAM based OSes under the right configuration. Would be more helpful if you were to provide patches to fix this stuff. Instead of whining. We know our todo list, and that list takes time. - Ben> Regards, > Rene. >
On Fri, Dec 13, 2002 at 12:45:20PM +0100, Rene Klootwijk wrote:> PrivilegeSeparation seems to be a valuable option, however at its > current maturity level it is the cause of several problems. Just to name > a few: > - Incompatible with BSM auditing on Solaristhe Sun BSM patch hasn't been integrated due to lack of review, testing and interest.> - Incompatible with PAM password aging (for this reason??? the code to > handle password expiration has been disabled without ANY notice)it was in the ChangeLog, and was disabled due to issues with kerberos PAM modules. also, this is being worked on.> - Causes core dumps on HP-UXtheir pam_unix session module needs root in the trusted case. i don't think it was a core dump, just dumb code in that module. if you have HP support escalate to them, because they didn't seem interested in privsep or fixing this at all.> I think PrivilegeSeparation should be disabled by default, and not > enabled by default as is the case right now. Even better is to make the > PrivilegeSeparation support configurable at compile time, when you do > not want it it will not be in the binary. As soon as the > PrivilegeSeparation code it mature and does not cause all these > problems, it can be enabled by default again. > > Another thing, when features such as PAM password aging are no longer > supported in new releases (e.g. because the code has been commented > out), there should be a clear warning of this. In my case, disabling the > PAM password expiry code, resulted in users not being able to change > their password and access the system anymore, some weeks after we > upgraded from openssh-3.1p1 to openssh-3.4p1.you have mentioned two vendors that "support" an openssh, please talk to them.
Possibly Parallel Threads
- hostbased authentication and the root account
- [Bug 125] with BSM auditing, cron editing thru ssh session causes cron jobs to fail
- OpenSSH 3.5p1 and BSM for Solaris
- Conflict between LDAP and Privilege Separation?
- [Bug 2] sshd should have BSM auditing on Solaris