search for: privilegesepar

PrivilegeSeparation seems to be a valuable option, however at its current maturity level it is the cause of several problems. Just to name a few: - Incompatible with BSM auditing on Solaris - Incompatible with PAM password aging (for this reason??? the code to handle password expiration has been disabled without...

Hi all. OpenSSH_4.1p1, OpenSSL 0.9.7g 11 Apr 2005 on Solaris 8 using host-based authentication. With "PrivilegeSeparation yes" and "UsePAM no" everything works as desired. If I enable PAM, I am able to connect, but just before it gives me a shell, it disconnects. If I leave PAM enabled and disable PrivilegeSeparation, it works. Is this a current limitation, or is there something I can try? ---...

...to point to this problem again as I have not seen a reply to my original posting: http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=106458208520320&w=2 and the problem still exists in version 3.9p1. After closing a ssh-session the pam_close_session() function is not invoked. Enabling PrivilegeSeparation (UsePrivilegeSeparation yes) does not help. Could someone acknowledge the problem, or even better, could some openssh developer fix it? With kind regards CB -- Dr. Carsten Benecke, Regionales Rechenzentrum, Universit?t Hamburg, Schl?terstr. 70, D-20146 Hamburg, Tel.: ++49 40 42838 3097, F...

http://bugzilla.mindrot.org/show_bug.cgi?id=1020 Summary: PrintLastLog doesn't work for UsePrivilegeseparation yes Product: Portable OpenSSH Version: 4.0p1 Platform: HPPA OS/Version: HP-UX Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-bugs at mindrot.org ReportedBy: senthilku...

http://bugzilla.mindrot.org/show_bug.cgi?id=1021 Summary: PrintLastLog doesn't work for UsePrivilegeseparation yes Product: Portable OpenSSH Version: 4.0p1 Platform: HPPA OS/Version: HP-UX Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-bugs at mindrot.org ReportedBy: senthilku...

I'm using OpenSSH_3.5p1 (server protocol 2.0 ) on a Compaq device V5.1A with C2 Security (SIA) configured. I must set UsePrivilegeSeparation to no to get this working. Does anyone have PrivilegeSeparation working on a Compaq device with C2 Security configured? Source device: ssh user at destination ( produces these errors) sshd: /var/tcb/files/__db_lock.share: Permission denied sshd: /var/tcb/files/__db_lock.share: Permission d...

...e, but I couldn't find an answer in the archives. I'm trying to use the PAM "pam_mail.so" module on Linux to set the MAIL environment variable (so I don't have to try to do it in various shell init scripts), but the MAIL setting doesn't get passed through unless I disable PrivilegeSeparation. Is there a way to have PAM set environment variables when PrivSep is enabled? -- Chris Adams <cmadams at hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.

http://bugzilla.mindrot.org/show_bug.cgi?id=980 ------- Additional Comments From senthilkumar_sen at hotpop.com 2005-04-29 00:28 ------- I tried passing SIGTERM to the sshd user process after applying the patch (id=821) and it is not cleaning up the wtmp entries. What would be needed in the patch additionaly so that proper pid is passed at the time of cleaning wtmp entries when SIGTERM is

Hi, According to ChangeLog someone "(bal)" removed -{enable/disable}-suid-ssh from configure (dating from 2002/06/07). Don't know the reason, probably this has something to do with PrivilegeSeparation. Consequence is: Users with UID != 0 are no longer able to allocate privileged ports, sshd answers "Rhosts Authentication disabled, originating port will not be trusted". Bang, there they sit. :-) Ok, "chmod u+s ssh scp" does help as first aid. My question is: Is SUID...

...ion: All Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-bugs at mindrot.org ReportedBy: senthilkumar_sen at hotpop.com SSH is not cleaning up the wtmp files when SIGTERM is passed to user session process with Privilegeseparation disabled. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

Has anyone got the pam_chroot module to successfully work in FreeBSD? I have FreeBSD 5.2-RELEASE installed. I copied the appropriate binaries and libraries into my chroot, I can chroot -u test -g test /home/test /usr/local/bin/bash and it works perfectly. So now I am trying to get the pam module to work. I added session required pam_chroot.so debug into the

Hi, Question: Can a TCP server (running on the same host as the OpenSSH server) know the user id/name of a user forwarding an TCP port ? I.e. if someone on some client machine does ssh -L9999:localhost:9999 someuser at somehost nc localhost 9999 and a service accepts the connection on port localhost:9999 on somehost, can it somehow safely read out the user name "someuser"? Long

Hi I tried to compile openssh 3.3p1 on a linux 2.0.34 mips system. First I was not able to compile it at all, but then I added the following line to monitor_fdpass.c #define SCM_RIGHTS 0x01 Then it compiled fine, but I am not able to log in. After having entered the password I get the following message in the logfile: Jun 25 20:25:46 raq2 sshd[16129]: fatal: mm_receive_fd: expected type 1 got

...h/openssh-3.4p1/monitor_fdpass.c:114: undefined reference to `CMSG_FIRSTHDR' /Packages/ssh/openssh-3.4p1/monitor_fdpass.c:118: undefined reference to `CMSG_DATA' make: *** [ssh] Error 1 Commenting out the line /* #define HAVE_CONTROL_IN_MSGHDR 1 */ results in a working version, although PrivilegeSeparation does not work then and you have to disable it in the config file. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

Hi everyone, I'm trying to build OpenSSH on my Cobalt Raq2i box which is running the standard Linux installation with all patches installed. I had no problems building OpenSSL v0.9.7b and it installed without problems as well. However, the OpenSSH build keeps failing at a certain point: gcc -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I. -I/usr/local/ssl/include

...() function is forked before the parent calls do_pam_session() (which sets sshpam_session_open to true). pam_close_session() will be invoked by removing surrounding if-statement. Is this a bug? My changes to the default sshd_conf are: 72c72 < UsePAM yes --- > #UsePAM yes 83c83 < UsePrivilegeSeparation no --- > #UsePrivilegeSeparation yes 96c96 < #Subsystem sftp /local/libexec/sftp-server --- > Subsystem sftp /local/libexec/sftp-server By the way: This is a bug in the documentation: The default for UsePAM in 3.7.1p2 is "no" while "#UsePAM yes" i...

...Subject: Re: zlib missing when installing openssh-3.7.1p2 "Pacelli, Louis M, ALABS" wrote: [snip] > Privilege separation user sshd does not exist > *** Error exit code 255 (ignored) > > Is this OK or is something else wrong? It's a warning. If you're going to use PrivilegeSeparation (which is on by default) you need to create a user for it. The details are in README.privsep. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes...

Hi I just noticed different sequences of PAM/ssh-session calls. (env: OpenSSH 3.8p1 on Linux with PAM-0.75) The channel 0 (server-session) seems to be startet very early for root and and after the pam-session is started for regular users. As a result, regular users don't have a tty when the pam-session modules are called. Is this intended? Frank For root: Apr 6 09:53:53 garfield2

I saw some archived messages which I found via Google in relation to some patches which can be applied to Glibc to fix the SCM_RIGHTS problem when attempting to build openssh on a Cobalt Raq2. Is there a way to retrieve the patches which need to be applied? The list archive search website displays the actual messages which discussed the topic, but I wasn't able to view any of the attachments

https://bugzilla.mindrot.org/show_bug.cgi?id=2204 Bug ID: 2204 Summary: gssapi-with-mic and UsePrivilegeSeparation sandbox Product: Portable OpenSSH Version: 6.4p1 Hardware: amd64 OS: Linux Status: NEW Severity: minor Priority: P5 Component: Kerberos support Assignee: unassigned-bugs at mindrot.org...