On Wednesday 26 June 2002 03.12, Vincent Danen wrote: > On Tue Jun 25, 2002 at 01:59:37AM +0200, Oden Eriksson wrote: > > [...] > > > > I don't think it will. So far it seems to work really good except > > > there is a problem with the PAM support... currently if you have an > > > expired password, it will just punt you without giving you an > > > opportunity to change your password. This is a known bug in 3.3, but > > > no good workaround/solution exists yet. > > > > Oh..., that doesn't sound very nice... Until it works it would be an idea > > have "UsePrivilegeSeparation=no" in the sshd_config file? > > Probably not a good idea. privsep is the official workaround to an > undisclosed remote root in openssh; the fix for this hole will be > available when the information is provided; having privsep enabled > with some uncomfortable side-effects for a week is a helluvalot more > comfortable than getting rooted.
As so many times before..., I spoke too soon. Now that I've read more about it I realize the threat. > If you are tempted to disable privsep, I would encourage you to shut > off sshd entirely. If that's not possible, use privsep and, as they > say, grin and bear it. No, I will use it, there's currently no other option it seems. > > > > What happened with the idea with a rpm macro update for older distros > > > > instead of having to maintain backward compability in the spec files? > > > > > > I could probably put it out today... works really good. > > > > Great! Is it system wide or per user (root) based? > > system wide. I haven't had a chance to announce it yet, but it's > already on the FTP sites. It won't show in MandrakeUpdate because it > is a new package (and only needed for people interested in rebuilding > srpms). Very nice, I will check it out ASAP. > > Oh.., I found another missing file in the openssh package (+ some minor > > fixes), a patch is attached. > > Thanks.. I'll take a look at it shortly. Trying to do my part in > helping the openssh developers iron out some bugs in the privsep code. Cool. Chears. -- Regards // Oden Eriksson Deserve-IT Networks -> http://d-srv.com
