search for: privsep

Displaying 20 results from an estimated 576 matches for "privsep".

2002 Jun 24
4
README.privsep
Hi, This is included in the release now; any feedback? Privilege separation, or privsep, is method in OpenSSH by which operations that require root privilege are performed by a separate privileged monitor process. Its purpose is to prevent privilege escalation by containing corruption to an unprivileged process. More information is available at: http://www.citi.umich.edu/u/provos/...
2003 Oct 28
2
Privilege separation
Hello! Please consider including the attached patch in the next release. It allows one to drop privilege separation code while building openssh by using '--disable-privsep' switch of configure script. If one doesn't use privilege separation at all, why don't simply allow him to drop privilege separation support completely? -- Sincerely Your, Dan. -------------- next part -------------- diff -adurN openssh-3.7.1p2.privsep/Makefile.in openssh-3.7.1p...
2006 May 22
5
[Bug 1189] PAM module hangs root logout
http://bugzilla.mindrot.org/show_bug.cgi?id=1189 wknox at mitre.org changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|Stacked PAM modules hang |PAM module hangs root logout |root logout | ------- Comment #12 from wknox at mitre.org 2006-05-22
2002 Jul 02
1
[Bug 329] New: gmake install prefix=... does not work with the privsep-path
http://bugzilla.mindrot.org/show_bug.cgi?id=329 Summary: gmake install prefix=... does not work with the privsep-path Product: Portable OpenSSH Version: -current Platform: MIPS OS/Version: IRIX Status: NEW Severity: normal Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy:...
2002 Sep 04
2
uid transition and post-auth privsep (WAS Re: possible fundamental problem with tru64 patch) (fwd)
What do we loose by not having post-auth privsep? What code is executed between authorization and actual setting of the effective uid? On Tue, 3 Sep 2002, Chris Adams wrote: > Once upon a time, Toni L. Harbaugh-Blackford <harbaugh at nciaxp.ncifcrf.gov> said: > > It appears that the integration of the sia session setup will...
2012 Aug 21
5
Call for testing: OpenSSH 6.1
Hi, OpenSSH 6.1 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This release contains a couple of new features and bug fixes. Snapshot releases for portable OpenSSH are available from http://www.mindrot.org/openssh_snap/ The OpenBSD version is available in CVS HEAD: http://www.openbsd.org/anoncvs.html Portable OpenSSH is also available
2004 May 18
2
pam_setcred fails for "USE_POSIX_THREADS + non-root users + PrivSep yes"
...SIX_THREADS in our HP-UX build of OpenSSH. When we connect a non-root user with PAM [pam-kerberos] then I get the following error. debug3: PAM: opening session debug1: PAM: reinitializing credentials PAM: pam_setcred(): Failure setting user credentials This is particularly for non-root users with PrivSep YES. When I connect to a root user with PrivSep YES or to a non-root user with PrivSep NO, then no issues. This is tested on 3.7.1p2 and 3.8.1p1 and two versions behave alike. This is not the case when USE_POSIX_THREADS is disabled and it works for PrivSep yes and no for root and non-root users....
2002 Apr 02
3
PrivSep and portability
Hi, I've seen a few patches related to the PrivSep works. As far as I can see, it seems to work by using a shared memory segment to communicate. I just want to point out that there are some unix systems that do not have mmap() (SCO, older SVR3 systems) or that might have problems with anonymous shared mmap() (don't have an examples, but e.g....
2004 Jun 29
0
Debian bug #236814: sshd+PAM: MOTD isn't printed when privsep=no
Hi. If sshd is configured to use PAM and UsePrivilegeSeparation=no or you are logging is as root, any messages returned by PAM session modules are not displayed to the user. (Even when the config file has privsep=yes, logging in as root disables privsep anyway since there's no point, so it behaves the same way as privsep=no). I think I've figured out why: when privsep=no, do_pam_session is called *after* display_loginmsg, so the PAM messages are stored too late to be displayed to the user. O...
2003 Jan 29
1
Privsep question: can the slave's child make monitor calls?
Hi all. I have a question regarding privsep. Firstly, the following is my understanding of what happens when privsep is enabled: The sshd daemon is running as root listing on 22(a). When a connection is accepted, a child is forked to handle the connection, this child becomes the monitor(b). The monitor forks the pre-auth privsep slave(c...
2006 Oct 07
0
[Bug 939] README.privsep incorrectly says opnessh does not on HP-UX with pam+privsep+trusted mode.
http://bugzilla.mindrot.org/show_bug.cgi?id=939 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED ------- Comment #2 from dtucker at zip.com.au 2006-10-07 11:37 ------- Change all RESOLVED bug to CLOSED with the exception
2002 Apr 18
3
privsep no user fatal message
Hello, I updated the latest snapshot as RPM's to two of my systems. Basic stuff seems to be working ok. Privilege separation failed though, possibly because I didn't populate /var/empty with PAM entries. Privsep might be a bit raw in any case, at least for the portable. FWIW, I came across error message 'sshd: no user' and had to scratch my head a bit to figure out what it meant. I suggest changing the order to be more in sync with other similar code paths. Patch attached. -- Pekka Savola...
2024 Jun 03
3
[Bug 3697] New: session.c:709:3: error: call to undeclared function 'PRIVSEP';
https://bugzilla.mindrot.org/show_bug.cgi?id=3697 Bug ID: 3697 Summary: session.c:709:3: error: call to undeclared function 'PRIVSEP'; Product: Portable OpenSSH Version: 9.7p1 Hardware: ARM64 OS: Mac OS X Status: NEW Severity: normal Priority: P5 Component: Build system Assignee: unassigned-bugs at mindrot.org Reporte...
2002 Jul 15
10
Patch: Solaris packages don't create privsep user or group
Hi. Solaris packages created by buildpkg.sh don't create privsep user or group and sshd won't start until they are created (or privsep is disabled): ## Executing postinstall script. starting /usr/local/sbin/sshd... Privilege separation user sshd does not exist /etc/init.d/opensshd: Error 255 starting /usr/local/sbin/sshd... bailing. The attached patch (ag...
2006 Jan 08
3
Allow --without-privsep build.
...ap? --- openssh-4.2p1/auth-rhosts.c~ 2005-07-17 08:22:45.000000000 +0100 +++ openssh-4.2p1/auth-rhosts.c 2006-01-07 18:14:32.000000000 +0000 @@ -289,7 +289,9 @@ auth_rhosts2(struct passwd *pw, const ch auth_debug_reset(); ret = auth_rhosts2_raw(pw, client_user, hostname, ipaddr); +#ifdef USE_PRIVSEP if (!use_privsep) +#endif auth_debug_send(); return ret; } --- openssh-4.2p1/auth2.c~ 2005-07-17 08:26:44.000000000 +0100 +++ openssh-4.2p1/auth2.c 2006-01-07 18:52:24.000000000 +0000 @@ -175,8 +175,10 @@ input_userauth_request(int type, u_int32 use_privsep ? " [net]" : &qu...
2002 Jun 09
3
[Bug 270] PrivSep breaks sshd on AIX for non-root users
http://bugzilla.mindrot.org/show_bug.cgi?id=270 ------- Additional Comments From dtucker at zip.com.au 2002-06-09 19:59 ------- Created an attachment (id=111) sshd output on AIX w/PrivSep ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
2002 Jul 15
0
[Bug 354] New: sshd with privsep doesn't do pam session setup properly
http://bugzilla.mindrot.org/show_bug.cgi?id=354 Summary: sshd with privsep doesn't do pam session setup properly Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at m...
2002 Jul 16
3
Solaris privsep and compression.
Has anybody got privsep and compression working together on Solaris 2.6 and 2.5.1? I have no problem getting it working under Solaris 8, but on 2.5.1/2.6 it says: # ./sshd -p 6666 This platform does not support both privilege separation and compression Compression disabled -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~...
2002 Jun 27
1
No TTY prealloc; Tru64 can't do post-auth privsep
Well, after digging around and thinking some more, I'm giving up on the idea of preallocating a TTY to get post-auth privsep working on Tru64. I don't think it will work, because just allocating a TTY doesn't fix the problem - there's no valid way to tie that TTY back to the client process (because it hasn't requested a TTY yet and may not ever do so). The problem is that the Tru64 session setup routines...
2006 May 22
9
[Bug 926] pam_session_close called as user or not at all
http://bugzilla.mindrot.org/show_bug.cgi?id=926 ------- Comment #8 from djm at mindrot.org 2006-05-22 15:12 ------- I don't understand - surely the limits should be applied in the *child* process and not the parent process? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.