Displaying 20 results from an estimated 10000 matches similar to: "Privsep question: can the slave's child make monitor calls?"
2003 May 12
3
[Bug 560] Privsep child continues to run after monitor killed.
http://bugzilla.mindrot.org/show_bug.cgi?id=560
Summary: Privsep child continues to run after monitor killed.
Product: Portable OpenSSH
Version: -current
Platform: ix86
URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=164797
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
2002 Dec 10
5
[PATCH] Password expiry with Privsep and PAM
Hi All.
Attached is a patch that implements password expiry with PAM and
privsep. It works by passing a descriptor to the tty to the monitor,
which sets up a child with that tty as stdin/stdout/stderr, then runs
chauthtok(). No setuid helpers.
I used some parts of Michael Steffens' patch (bugid #423) to make it
work on HP-UX.
It's still rough but it works. Tested on Solaris 8 and
2004 Jun 29
0
Debian bug #236814: sshd+PAM: MOTD isn't printed when privsep=no
Hi.
If sshd is configured to use PAM and UsePrivilegeSeparation=no or you
are logging is as root, any messages returned by PAM session modules are
not displayed to the user. (Even when the config file has privsep=yes,
logging in as root disables privsep anyway since there's no point, so it
behaves the same way as privsep=no).
I think I've figured out why: when privsep=no,
2002 Jul 15
10
Patch: Solaris packages don't create privsep user or group
Hi.
Solaris packages created by buildpkg.sh don't create privsep user or
group and sshd won't start until they are created (or privsep is
disabled):
## Executing postinstall script.
starting /usr/local/sbin/sshd... Privilege separation user sshd does not
exist
/etc/init.d/opensshd: Error 255 starting /usr/local/sbin/sshd...
bailing.
The attached patch (against -cvs) ports the relevant
2002 Sep 04
2
uid transition and post-auth privsep (WAS Re: possible fundamental problem with tru64 patch) (fwd)
What do we loose by not having post-auth privsep?
What code is executed between authorization and actual setting of the
effective uid?
On Tue, 3 Sep 2002, Chris Adams wrote:
> Once upon a time, Toni L. Harbaugh-Blackford <harbaugh at nciaxp.ncifcrf.gov> said:
> > It appears that the integration of the sia session setup will either
> > have to be rethought or abandoned
2002 Dec 21
6
[PATCH] PAM chauthtok + Privsep
Hello All.
Attached is an update to my previous patch to make do_pam_chauthtok and
privsep play nicely together.
First, a question: does anybody care about these or the password
expiration patches?
Anyway, the "PRIVSEP(do_pam_hauthtok())" has been moved to just after
the pty has been allocated but before it's made the controlling tty.
This allows the child running chauthtok to
2011 Jun 02
2
preauth privsep logging via monitor
Hi,
This diff (for portable) makes the chrooted preauth privsep process
log via the monitor using a shared socketpair. It removes the need
for /dev/log inside /var/empty and makes mandatory sandboxing of the
privsep child easier down the road (no more socket() syscall required).
Please test.
-d
Index: log.c
===================================================================
RCS file:
2002 Jun 24
4
README.privsep
Hi,
This is included in the release now; any feedback?
Privilege separation, or privsep, is method in OpenSSH by which
operations that require root privilege are performed by a separate
privileged monitor process. Its purpose is to prevent privilege
escalation by containing corruption to an unprivileged process.
More information is available at:
2002 Apr 18
3
privsep no user fatal message
Hello,
I updated the latest snapshot as RPM's to two of my systems. Basic stuff
seems to be working ok.
Privilege separation failed though, possibly because I didn't populate
/var/empty with PAM entries. Privsep might be a bit raw in any case, at
least for the portable.
FWIW, I came across error message 'sshd: no user' and had to scratch my
head a bit to figure out what it
2006 Feb 12
1
sshd double-logging
Hi all.
As Corinna pointed out, there are some cases where sshd will log some
authentications twice when privsep=yes.
This can happen on any platform although it seems most obvious on the
ones that don't do post-auth privsep. It also occurs when sshd logs
to stderr (eg running under daemontools) or when you have a /dev/log in
the privsep chroot.
The patch below attempts to solve this for
2002 Jul 02
1
[Bug 329] New: gmake install prefix=... does not work with the privsep-path
http://bugzilla.mindrot.org/show_bug.cgi?id=329
Summary: gmake install prefix=... does not work with the
privsep-path
Product: Portable OpenSSH
Version: -current
Platform: MIPS
OS/Version: IRIX
Status: NEW
Severity: normal
Priority: P2
Component: Build system
AssignedTo:
2004 May 18
2
pam_setcred fails for "USE_POSIX_THREADS + non-root users + PrivSep yes"
Hello,
We use USE_POSIX_THREADS in our HP-UX build of OpenSSH. When we connect a
non-root user with PAM [pam-kerberos] then I get the following error.
debug3: PAM: opening session
debug1: PAM: reinitializing credentials
PAM: pam_setcred(): Failure setting user credentials
This is particularly for non-root users with PrivSep YES. When I connect to
a root user with PrivSep YES or to a non-root
2002 Jun 22
2
AIX Package build update.
Hello All,
I've updated the AIX package builder (contrib/aix/buildbff.sh). The
changes are below. Please review and commit if OK.
First, a question: Does anyone want SRC (System Resource Controller)
support in the packages? I don't use it but I've been sent an example of
how do do it without modifying sshd itself.
Onto the changes:
* Supports PrivSep. Postinstall will create
2002 Apr 02
3
PrivSep and portability
Hi,
I've seen a few patches related to the PrivSep works. As far as I can
see, it seems to work by using a shared memory segment to communicate.
I just want to point out that there are some unix systems that do not
have mmap() (SCO, older SVR3 systems) or that might have problems with
anonymous shared mmap() (don't have an examples, but e.g. the INN docs
are full of warnings concerning
2002 Aug 30
1
no, I see now, tru64 pty ownership wrong on entry to setup_sia, may need /usr/lbin/chgpt (WAS Re: Tru64 privsep patch testing)
Hi Toni,
I'm sorry, I haven't had much time to work on this today. When I run sshd
(from the patched snapshot) in a debugger, with a breakpoint early in
setup_sia(), this is what I find after connecting with a client:
(1) There are two sshd processes. One is running as root, and the other
as the user I logged with using the client. The root process is the
one in the debugger,
2006 Jan 08
3
Allow --without-privsep build.
I've been trying to cut down the size of openssh so I can run it on my
Nokia 770. One thing which helps a fair amount (and will help even more
when I get '-ffunction-sections -fdata-sections --gc-sections' working)
is to have the option of compiling out privilege separation...
Is it worth me tidying this up and trying to make it apply properly to
the OpenBSD version? Does the openbsd
2024 Jun 03
3
[Bug 3697] New: session.c:709:3: error: call to undeclared function 'PRIVSEP';
https://bugzilla.mindrot.org/show_bug.cgi?id=3697
Bug ID: 3697
Summary: session.c:709:3: error: call to undeclared function
'PRIVSEP';
Product: Portable OpenSSH
Version: 9.7p1
Hardware: ARM64
OS: Mac OS X
Status: NEW
Severity: normal
Priority: P5
Component:
2002 Sep 16
2
privsep versus compression
Hi,
I'm unable to get Kerberos4 authentication working with openssh-3.4p1.
I'm getting a message that privsep is not available on my platform (Irix
6.5.15) and another message stating that compression and privsep are
mutually exclusive. But, ssh decided to turn off compression, I think
because of servconf.c. I think it would be more usefull to have
compression enabled and disable privsep
2015 May 31
2
Call for testing: OpenSSH 6.9
On Sun, May 31, 2015 at 3:37 AM, Ron Frederick <ronf at timeheart.net> wrote:
> On May 29, 2015, at 12:12 AM, Damien Miller <djm at mindrot.org> wrote:
> > OpenSSH 6.9 is almost ready for release, so we would appreciate testing
> > on as many platforms and systems as possible. This release contains
> > some substantial new features and a number of bug fixes.
>
2002 Jul 15
0
[Bug 354] New: sshd with privsep doesn't do pam session setup properly
http://bugzilla.mindrot.org/show_bug.cgi?id=354
Summary: sshd with privsep doesn't do pam session setup properly
Product: Portable OpenSSH
Version: -current
Platform: ix86
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: sshd
AssignedTo: openssh-unix-dev at mindrot.org