On Thu Aug 01, 2002 at 03:02:38PM +0400, Borsenkow Andrej wrote: > > > 20020426 > > > - (djm) Disable PAM password expiry until a complete fix for bug > #188 > > > exists > > > > > > disable where? > > > > Disable privsep is another way to do it. > > > > that means that sshd in default installation has large bug. If privsep > results in complete user lockout, then _PLEASE_ disable it by default.
There are some little quirks with privsep and pam due to how privsep tries to do the authentication as a non-root user. As soon as a new openssh comes out that fixes this, it will go into updates all over the place. I'm not comfortable with disabling privsep for a few reasons. For one, it is extremely valuable... it's (to me) an essential feature. And not everyone does password aging (which is the problem here). I would rather have people disable privsep manually if they are using password aging. Unless you know of a way to determine if password aging is "enabled" on a system (so I can work some magic with the %post scripts), I would rather leave privsep enabled. Password aging is used more on servers than workstations, and one would assume that a sysadmin would know how to edit sshd_config and restart the ssh server. As well, considering how badly the openbsd/openssh teams are fscking things up these days, I think having privsep there is almost essential. -- MandrakeSoft Security; http://www.mandrakesecure.net/ "lynx -source http://www.freezer-burn.org/bios/vdanen.gpg | gpg --import" {GnuPG: 1024D/FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}
msg69268/pgp00000.pgp
Description: PGP signature
