Hi, From: "Michael Stauber"
> The OpenSSH mailing list and OpenSSH bugtracker mention that the > privilege-separation support for Linux with 2.2.X kernels (and a few other > architectures) is broken. > > So the only RaQ where privilege separation works is the RaQ550. I've run into > that issue when I built PKGs with OpenSSH-3.3p1 two days ago. I compiled OpenSSH-3.3p1 today on a Raq4i. I had to recompile openSSL too, because the cobalt dist had no static libcrypto installed. (see below) After this and some option-setting Privege separation seems to work fine. The only problem is that the linux version of my raq does not support mmap(MAP_ANON). But this is only needed when you use SSL-compression. Setting the option Compression No in /etc/ssh/sshd_config helps. That is, if you don't need compression. Information I compiled openSSL from openssl-0.9.6d.tar.gz with options: ./config --prefix=/usr --openssldir=/usr/share/ssl shared no-idea -fno-strength-reduce This overwrote the cobalt rpm (0.9.6b) version. I had to manually remove /lib/libcrypto.* (which is now installed in /usr/lib) I compiled openSSH from openssh-3.3p1.tar.gz with options: ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-privsep-us er=nobody With --with-privsep-user=nobody option there is no need to create a sshd user, as the readme.privsep says. I had to create the /var/empty directory according to the instructions. The only problem is that the linux version of my raq does not support mmap(MAP_ANON). But this is only needed when you use SSL-compression. Setting the option Compression No in /etc/ssh/sshd_config helps. That is, if you don't need compression. I think the privsep option is a bit overdone (it drops privs only to pass a lot of stuff to the root-process?), but it seems to be necessairy because of the upcoming bug-report. My next project will be compiling Apache 2.X, together with mod_perl, a new perl (needed too), and php. After this, I really cannot affort using any cobalt packages. I don't use the adminserver any more (that is, for site management). So, it's bye bye cobalt. Next time I just buy a big server and fix stuff myself. That's a lot quicker and (therefor) safer. Jelmer _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
