similar to: PrivSep and PAM environment variable setting

Well, after digging around and thinking some more, I'm giving up on the idea of preallocating a TTY to get post-auth privsep working on Tru64. I don't think it will work, because just allocating a TTY doesn't fix the problem - there's no valid way to tie that TTY back to the client process (because it hasn't requested a TTY yet and may not ever do so). The problem is that the

Well, I had just finally gotten around to downloading a snapshot to test the latest on Tru64 a couple of days ago but hadn't had a chance to build it yet, and 3.7p1 has now been released. Sigh. The problem is that Tru64 setreuid() and setregid() are broken, so privsep doesn't work. This could also be a security problem for SIA authentication in general (any version of OpenSSH on Tru64,

Hello, We use USE_POSIX_THREADS in our HP-UX build of OpenSSH. When we connect a non-root user with PAM [pam-kerberos] then I get the following error. debug3: PAM: opening session debug1: PAM: reinitializing credentials PAM: pam_setcred(): Failure setting user credentials This is particularly for non-root users with PrivSep YES. When I connect to a root user with PrivSep YES or to a non-root

PrivilegeSeparation seems to be a valuable option, however at its current maturity level it is the cause of several problems. Just to name a few: - Incompatible with BSM auditing on Solaris - Incompatible with PAM password aging (for this reason??? the code to handle password expiration has been disabled without ANY notice) - Causes core dumps on HP-UX I think PrivilegeSeparation should be

Here is a long-overdue (sorry about that) patch for Tru64. It is pretty minor mostly (minor formatting and removal of a couple of unneeded calls), and it disables post-auth privsep (so that OpenSSH will work "out of the box" on Tru64, avoiding the many questions). I'm also looking at getting setproctitle working. For Tru64 4.x, it isn't a big deal (normal PS_USE_CLOBBER_ARGV

On Nov 9, 2004, at 10:26 PM, Chris Adams <cmadams at hiwaay.net> wrote: > Message: 4 > Date: Tue, 9 Nov 2004 15:13:36 -0600 > From: Chris Adams <cmadams at hiwaay.net> > Subject: Re: RedHat forks OpenSSH? > To: openssh-unix-dev at mindrot.org > Message-ID: <20041109211336.GC1429068 at hiwaay.net> > Content-Type: text/plain; charset=us-ascii [deletion for

In OpenSSH 3.6.1p2, pam_open_session() ran with a conversation function, do_pam_conversation(), that fed text to the client. In OpenSSH 3.7.1p2, this is no longer the case: session modules run with a conversation function that just returns PAM_CONV_ERR. This means that simple session modules whose job involves printing text on the user's terminal no longer work: pam_lastlog, pam_mail, and

Hi all. OpenSSH_4.1p1, OpenSSL 0.9.7g 11 Apr 2005 on Solaris 8 using host-based authentication. With "PrivilegeSeparation yes" and "UsePAM no" everything works as desired. If I enable PAM, I am able to connect, but just before it gives me a shell, it disconnects. If I leave PAM enabled and disable PrivilegeSeparation, it works. Is this a current limitation, or is there

http://bugzilla.mindrot.org/show_bug.cgi?id=951 Summary: SSH2 protocol breaks pam chroot auth Product: Portable OpenSSH Version: 3.9p1 Platform: Other URL: --- OS/Version: Linux Status: NEW Severity: major Priority: P2 Component: PAM support AssignedTo: openssh-bugs at mindrot.org

I have installed 2.5.1p1 on two systems, one running Digital Unix 4.0F and the other running Red Hat Linux 7.0. I am having trouble connecting using the 2.5.1p1 client and the version 2 protocol. Here is a connect attempt from the Linux box (this is after I blew away my ~/.ssh directory to make sure there was no "cruft" in it). Note that this also has the all zero key fingerprint that

http://bugzilla.mindrot.org/show_bug.cgi?id=296 ------- Additional Comments From dtucker at zip.com.au 2003-05-12 18:42 ------- Can this bug be closed? The ChangeLog seems to indicate that it's been addressed. 20030320 [snip] - (bal) Disable Privsep for Tru64 after pre-authentication due to issues with SIA. Also, clean up of tru64 support patch by Chris Adams <cmadams at

Hello, I would like to point to this problem again as I have not seen a reply to my original posting: http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=106458208520320&w=2 and the problem still exists in version 3.9p1. After closing a ssh-session the pam_close_session() function is not invoked. Enabling PrivilegeSeparation (UsePrivilegeSeparation yes) does not help. Could someone

I had a power hiccup yesterday and a server connected to a Best Ferrups 18KVA shutdown. The problem is that the UPS is reporting remaining runtime in minutes but nut treats it as seconds (so nut thought it only had 46 seconds left). Simple patch: diff -urN nut-2.2.1-dist/drivers/bestfcom.c nut-2.2.1/drivers/bestfcom.c --- nut-2.2.1-dist/drivers/bestfcom.c 2008-06-13 14:04:07.000000000 -0500

I know it is just after a release, but I'm trying to see how the regression tests look on Tru64. I hadn't had a chance to really look at them before because I didn't have sudo installed on Tru64 (now I do). Anyway, for the 3.9p1 release, all of them run except for a couple of problems: - agent-ptrace fails; it looks like setgid isn't enough to kill tracing under Tru64, and I

If a user doesn't have a ~/mail directory and logs in, the directory is created for them. However, it is created with insecure permissions, 0770 (full group access). The problem is this bit in src/lib-storage/index/mbox/mbox-storage.c: #define CREATE_MODE 0770 /* umask() should limit it more */ The code then uses CREATE_MODE as an argument to mkdir_parents(), but mkdir_parents()

I have an old (1997) Best Ferrups (model FE18KVA) that I am trying to monitor for the first time, but all the Best drivers fail to communicate with it. In ups_sync() in bestuferrups.c and bestfcom.c, the "time" command is sent and a one-line response is read. However, on my UPS, that command returns the current time and then prompts for a new time setting. I worked around that by just

The terminal programs (xterm, gnome-terminal, etc.) in Fedora have all supported 256 colors for quite a while, so there's a proposal for Fedora to switch them to using "xterm-256color" for $TERM. One drawback would be when you SSH to another host that doesn't have an up-to-date terminal database and doesn't recognize "xterm-256color" (but does know

Is it possible to have memdisk emulate multiple drives? Here's why I'm asking: I have a Dell server that I replaced the motherboard. I want to reset the service tag to the correct tag for the system, and the only way to do that is to run a Dell tool under DOS. I have downloaded the tool, but it is doubly-wrapped: a self-extracting ZIP file (which I unzipped under Linux) which contains a

Hi. If sshd is configured to use PAM and UsePrivilegeSeparation=no or you are logging is as root, any messages returned by PAM session modules are not displayed to the user. (Even when the config file has privsep=yes, logging in as root disables privsep anyway since there's no point, so it behaves the same way as privsep=no). I think I've figured out why: when privsep=no,

I'm using OpenSSH_3.5p1 (server protocol 2.0 ) on a Compaq device V5.1A with C2 Security (SIA) configured. I must set UsePrivilegeSeparation to no to get this working. Does anyone have PrivilegeSeparation working on a Compaq device with C2 Security configured? Source device: ssh user at destination ( produces these errors) sshd: /var/tcb/files/__db_lock.share: Permission denied sshd: