search for: use_privsep

...tocrap? --- openssh-4.2p1/auth-rhosts.c~ 2005-07-17 08:22:45.000000000 +0100 +++ openssh-4.2p1/auth-rhosts.c 2006-01-07 18:14:32.000000000 +0000 @@ -289,7 +289,9 @@ auth_rhosts2(struct passwd *pw, const ch auth_debug_reset(); ret = auth_rhosts2_raw(pw, client_user, hostname, ipaddr); +#ifdef USE_PRIVSEP if (!use_privsep) +#endif auth_debug_send(); return ret; } --- openssh-4.2p1/auth2.c~ 2005-07-17 08:26:44.000000000 +0100 +++ openssh-4.2p1/auth2.c 2006-01-07 18:52:24.000000000 +0000 @@ -175,8 +175,10 @@ input_userauth_request(int type, u_int32 use_privsep ? " [net]" : &qu...

...ff -adurN openssh-3.7.1p2.privsep/auth-options.c openssh-3.7.1p2/auth-options.c --- openssh-3.7.1p2.privsep/auth-options.c Tue Jun 3 04:25:48 2003 +++ openssh-3.7.1p2/auth-options.c Sat Oct 4 22:54:42 2003 @@ -280,7 +280,9 @@ /* Process the next option. */ } +#ifndef DISABLE_PRIVSEP if (!use_privsep) +#endif /* DISABLE_PRIVSEP */ auth_debug_send(); /* grant access */ @@ -292,7 +294,9 @@ auth_debug_add("Bad options in %.100s file, line %lu: %.50s", file, linenum, opts); +#ifndef DISABLE_PRIVSEP if (!use_privsep) +#endif /* DISABLE_PRIVSEP */ auth_debug_send();...

...000000 +0200 [...] @@ -250,9 +256,19 @@ if (options->authorized_keys_file == NULL) options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; - /* Turn privilege separation _off_ by default */ + /* Turn privilege separation on by default */ if (use_privsep == -1) - use_privsep = 0; + use_privsep = 1; + +#ifndef HAVE_MMAP + if (use_privsep && options->compression == 1) { + error("This platform does not support both privilege " + "separation and compression&quot...

For root sessions pam_open_session is called, but not pam_close_session. sshd behavior is broken for root logins because if pam session is run from the child, close is never called due to exec: on open since use_privsep is not set, parent calls do_exec_pty(), which does not open session. then, it skips calling do_setusercontext(), so it does not open session. child calls do_setusercontext(), which opens session. on close child will not close sesion, because it exec'd the shell, and the ss...

http://bugzilla.mindrot.org/show_bug.cgi?id=1344 Summary: DISABLE_FD_PASSING does not work if sshd invoked by inetd Product: Portable OpenSSH Version: 4.6p1 Platform: Other OS/Version: Other Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: bitbucket at

...#endif Index: servconf.c =================================================================== RCS file: /var/cvs/openssh/servconf.c,v retrieving revision 1.92 diff -u -r1.92 servconf.c --- servconf.c 23 Jun 2002 21:29:24 -0000 1.92 +++ servconf.c 25 Jun 2002 00:16:12 -0000 @@ -257,7 +257,7 @@ if (use_privsep == -1) use_privsep = 1; -#if !defined(HAVE_MMAP) || !defined(MAP_ANON) +#if !defined(HAVE_MMAP_ANON_SHARED) if (use_privsep && options->compression == 1) { error("This platform does not support both privilege " "separation and compression");

http://bugzilla.mindrot.org/show_bug.cgi?id=14 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- OtherBugsDependingO| |793 nThis| | ------- You are receiving this mail because: ------- You are on the CC list for

http://bugzilla.mindrot.org/show_bug.cgi?id=1113 Summary: Add Interix authentication support Product: Portable OpenSSH Version: 4.2p1 Platform: Other OS/Version: other Status: NEW Severity: enhancement Priority: P2 Component: sshd AssignedTo: bitbucket at mindrot.org ReportedBy: tv at

...nf.c Wed Oct 2 06:09:06 2002 *************** *** 122,127 **** --- 122,128 ---- options->client_alive_count_max = -1; options->authorized_keys_file = NULL; options->authorized_keys_file2 = NULL; + options->chroot_users = -1; /* Needs to be accessable in many places */ use_privsep = -1; *************** *** 253,258 **** --- 254,262 ---- if (options->authorized_keys_file == NULL) options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; + if (options->chroot_users == -1) + options->chroot_users = 0; + /* Turn privilege separation on by default...

...= mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_ANON|MAP_SHARED, -1, 0); diff -ur openssh-3.3p1-orig/servconf.c openssh-3.3p1/servconf.c --- openssh-3.3p1-orig/servconf.c Fri Jun 21 08:20:44 2002 +++ openssh-3.3p1/servconf.c Tue Jun 25 10:06:02 2002 @@ -257,6 +257,7 @@ if (use_privsep == -1) use_privsep = 1; +#undef MAP_ANON #if !defined(HAVE_MMAP) || !defined(MAP_ANON) if (use_privsep && options->compression == 1) { error("This platform does not support both privilege " ------- You are receiving this mail becau...

here's a patch to 3.3p1 for Solaris 2.6 - it does not handle mmap() with fd = -1. does it look okay? itojun --- work.i386/openssh-3.3p1/servconf.c- Tue Jun 25 23:43:22 2002 +++ work.i386/openssh-3.3p1/servconf.c Tue Jun 25 23:43:33 2002 @@ -257,7 +257,7 @@ if (use_privsep == -1) use_privsep = 1; -#if !defined(HAVE_MMAP) || !defined(MAP_ANON) +#if !defined(HAVE_MMAP) if (use_privsep && options->compression == 1) { error("This platform does not support both privilege " "separation and compression"); --- work.i386/openssh...

...ed. $ ll /tmp/krb5cc* -rw------- 1 test users 416 Oct 20 14:03 /tmp/krb5cc_243_245 I have tested this on hpux but believe the same behaviour on other OS as well. Probable fix is to change the condition in sshpam_cleanup(void)/auth-pam.c < if (sshpam_handle == NULL || (use_privsep && !mm_is_monitor())) --- > if (sshpam_handle == NULL && (use_privsep && !mm_is_monitor())) -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.

...ero gives an anonymous memory region. */ +#undef HAVE_MMAP_DEV_ZERO + /* Define if sendmsg()/recvmsg() has problems passing file descriptors */ #undef BROKEN_FD_PASSING --- ./servconf.c Mon Jun 24 23:22:04 2002 +++ ../openssh-3.4p1/./servconf.c Wed Jun 26 17:54:55 2002 @@ -257,7 +257,7 @@ if (use_privsep == -1) use_privsep = 1; -#if !defined(HAVE_MMAP_ANON_SHARED) +#if !defined(HAVE_MMAP_ANON_SHARED) && !defined(HAVE_MMAP_DEV_ZERO) if (use_privsep && options->compression == 1) { error("This platform does not support both privilege " "separation and...

Can we do this? Or should we drop the whole char *tty; ? There will be no way of setting the TTY= correctly while using privsep (Mainly for multiple streams over single session). The only thing we really could do is do: In do_setusercontext() if (use_privsep) aix_usrinfo(pw, NULL); and back in the old spot put: if (!use_privsep) aix_usrinfo(pw, s->ttyfd == -1 ? NULL : s->tty); that should allow users who need TTY set to at least have a working OpenSSH. Maybe add in a line to INSTALL or README about this issue. I'm more in favor of tota...

https://bugzilla.mindrot.org/show_bug.cgi?id=2167 Bug ID: 2167 Summary: Connection remains when fork() fails. Product: Portable OpenSSH Version: 5.3p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: sshd Assignee: unassigned-bugs at

...: %.200s", pam_retval, PAM_STRERROR(__pamh, pam_retval)); } +#endif if (__pamh) { pam_retval = pam_end(__pamh, pam_retval); @@ -256,10 +257,8 @@ case PAM_SUCCESS: /* This is what we want */ break; -#if 0 case PAM_NEW_AUTHTOK_REQD: - message_cat(&__pam_msg, use_privsep ? - NEW_AUTHTOK_MSG_PRIVSEP : NEW_AUTHTOK_MSG); + message_cat(&__pam_msg, NEW_AUTHTOK_MSG); /* flag that password change is necessary */ password_change_required = 1; /* disallow other functionality for now */ @@ -267,7 +266,6 @@ no_agent_forwarding_flag |= 2; no_x11...

...ppend_space in buffer_get leaving from buffer_get in buffer_free ?before key_load_private_pem ?returning from key_load_private ?after key_load_private private host key: #1 type 2 DSA ?before setting protcol version options.protocol=4 ...sensitive_data.have_ssh1_key=0? sensitive_data.have_ssh2_key=1 use_privsep=1 ?before get pwnam ?after get pwnam ?before set groups ?before daemon starts ?after daemon starts before arc4random_stir before chdir ?before signal ?after signal ?in else condition AF_INET=2, AF_INET6=10 listen_sock=0ai->ai_family=2,ai->ai_socktype=2,ai->ai_protocol=6 listen_sock=5 Bind...

OpenSSH 7.5 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. OpenSSH also includes transitional support for the legacy SSH 1.3 and 1.5 protocols that may be enabled at compile-time. Once again, we would like to thank the OpenSSH community

...x 010a2c3..4f9b2c8 100644 > > --- a/sshd.c > > +++ b/sshd.c > > @@ -1641,7 +1641,8 @@ main(int ac, char **av) > > > > /* Store privilege separation user for later use if required. */ > > if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) { > > - if (use_privsep || options.kerberos_authentication) > > + if ((use_privsep || options.kerberos_authentication) > > + && (getuid() == 0 || geteuid() == 0)) > > fatal("Privilege separation user %s does not exist", > > SSH_PRIVSEP_USER); > > } else { &g...

...th-sia.c --- openssh-3.4p1/auth-sia.c Fri Apr 12 11:36:08 2002 +++ openssh-3.4p1+/auth-sia.c Mon Jul 22 23:34:37 2002 @@ -41,9 +41,11 @@ #include <unistd.h> #include <string.h> +/* import */ extern ServerOptions options; extern int saved_argc; extern char **saved_argv; +extern int use_privsep; extern int errno; @@ -77,7 +79,7 @@ } void -session_setup_sia(char *user, char *tty) +setup_sia(char *user, char *tty) { struct passwd *pw; SIAENTITY *ent = NULL; @@ -86,9 +88,8 @@ host = get_canonical_hostname (options.verify_reverse_mapping); if (sia_ses_init(&ent, saved_argc...