similar to: [Bug 205] PrivSep needs to be a compile-time option

The following is just a simple 'if ANON|SHARE is broken, disable compression'. We don't have time for fancy stuff until we have time for long term testing. I have one friend of mine testing this. Can I get a few other people to test. This is against --current, but maybe work against 3.3p1. Unsure. BTW.. those on NeXT platform (if you have autoreconf) should also test this. this

Significant changes since last patch. Deleted patches to packet.c and channel.c - not needed. Add small patch to sshd.c and openbsd/ssh-cray.c to disable cray process privileges. Depending on how a cray unicos/unicosmk system is configured user could su to root without a password with out this mod. Add no_sco flag to noop check for -lrpc which assumes that their was a -lyp library.

Hi, I've seen a few patches related to the PrivSep works. As far as I can see, it seems to work by using a shared memory segment to communicate. I just want to point out that there are some unix systems that do not have mmap() (SCO, older SVR3 systems) or that might have problems with anonymous shared mmap() (don't have an examples, but e.g. the INN docs are full of warnings concerning

Linux 2.2 (and probably others) have a deficient mmap which has caused a number of problems (e.g. bug #285). A workaround is in development, but it would be helpful to have a configure test to detect the bad mmaps(). Any takers? -d

http://bugzilla.mindrot.org/show_bug.cgi?id=205 Summary: PrivSep needs to be a compile-time option Product: Portable OpenSSH Version: 3.0.2p1 Platform: Other OS/Version: other Status: NEW Severity: critical Priority: P1 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org

Hi, This is included in the release now; any feedback? Privilege separation, or privsep, is method in OpenSSH by which operations that require root privilege are performed by a separate privileged monitor process. Its purpose is to prevent privilege escalation by containing corruption to an unprivileged process. More information is available at:

The next OpenSSH release is close, too. If you want OpenSSH 3.2 to be the best version of OpenSSH, then please test the snapshots. If you like to see new features in future OpenSSH releases, then test the snapshots. If you are running OpenBSD then please test the OpenBSD snapshots. If you are running the portable OpenSSH release then please test the nightly snapshots from

I've been trying to cut down the size of openssh so I can run it on my Nokia 770. One thing which helps a fair amount (and will help even more when I get '-ffunction-sections -fdata-sections --gc-sections' working) is to have the option of compiling out privilege separation... Is it worth me tidying this up and trying to make it apply properly to the OpenBSD version? Does the openbsd

We are heading into a lock here. So we need to get people to test their respective platforms if they wish them to be supported out of the tar file. So if you have any patches you need to ensure your platform works speak up. We are looking at a lock on the 17th. I believe I have an AIX/Cray patch and a Tru64 patch sitting in my mailbox that I'll be looking at soon and more than likely

i think our strategy for privsep is to just keep portable sync'd closely with openbsd's tree, even though things will be broken wrt privsep for many platforms. then we just get primary one's working and work out issues as we go along. i'll start to work on sun and hp-ux again tomorrow.

I upgraded a compiled version of ssh-1.2.27 to a swinstalled depot of OpenSSH_2.5.1p1 on HPUX-11.00. I created links in /usr/local/bin/<ssh program> pointing to /opt/openssh2/bin/<ssh program>. Ssh works. Scp does not. HP support does not support ssh. Below the line you will find the output of a verbose scp command from the server to it self.

OpenBSD tree is heading into a lock and this includes OpenSSH. So we are winding up for a 3.5 release. If we can get people to test the current snapshots and report any problems that would improve the odds that your platform won't be broke for 3.5. Issues I know off of right now. 1. I can't test NeXT. So I TRULY need someone in that community to test for me. Last I heard there was

I just upgraded to OpenSSH3.2.3p1 as it seemed that UsePrivilegeSeparation yes might help with my problem (connections forwarded are owned by root instead of the user I logged in as on the server), but instead, sshd barfs on receiving a connection. Without UsePrivilegeSeparation the server works fine. # strace -o /tmp/sshd.str sshd -d debug1: sshd version OpenSSH_3.2.3p1 debug1: private host

http://bugzilla.mindrot.org/show_bug.cgi?id=367 ------- Additional Comments From wendyp at cray.com 2002-07-23 08:38 ------- Created an attachment (id=134) cray patches ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

Has anybody got privsep and compression working together on Solaris 2.6 and 2.5.1? I have no problem getting it working under Solaris 8, but on 2.5.1/2.6 it says: # ./sshd -p 6666 This platform does not support both privilege separation and compression Compression disabled -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Kevin Currie | |

Has anyone got privsep to work under SCO Openserver? I am testing openssh3.3p1. I have Compression turned off in sshd_config. Here is the error messages that I am getting. sshd[21469]: fatal: mm_send_fd: sendmsg(3): Bad file number sshd[21476]: fatal: mm_receive_fd: recvmsg: expected received 1 got 0 --Sam

Hi, I'm unable to get Kerberos4 authentication working with openssh-3.4p1. I'm getting a message that privsep is not available on my platform (Irix 6.5.15) and another message stating that compression and privsep are mutually exclusive. But, ssh decided to turn off compression, I think because of servconf.c. I think it would be more usefull to have compression enabled and disable privsep

I configure as follows: ./configure --with-zlib=/usr/local/include cc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o sshpty.o sshlogin.o servconf.o serverloop.o auth.o auth1.o auth2.o auth-options.o session.o auth-chall.o auth2-chall.o groupaccess.o auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o auth2-pubkey.o monitor_mm.o

monitor_mm.c, line = 94 in openssh-SNAP-20020718 A value of type "int" cannot be assigned to an entity of type "void *". address = xmmap(size); ^ -- ayamura Ayamura KIKUCHI, M.D., Ph.D.

Ok.. I'm starting official testing calls early this release. I'd like to have more feedback and more time for handling fixes. If people could test snapshots (http://www.openssh.org/portable.html, pick your favorate mirror and select snapshots directory) and report failures it would be useful. For those with pmake install there is regress/ which you can try out. It may help any platform