On Fri Aug 02, 2002 at 01:33:08PM +0400, Borsenkow Andrej wrote: [...] > > > Hmmm, I thought this was only a server side thing... Does your > > sshd_config > > > look like this "UsePrivilegeSeparation no" on the server, and (silly > > > question) have you restarted the sshd (stop|start)?. > > > > Right. privsep is only useful server-side. > > > > I have disabled it on server side. And I have restarted server after it. > With privsep enabled it fails differently (just closes connection with > different messages logged).
Yup, you're right... I have been looking at openssh some more and the privsep code changed the whole pam interaction. With or without privsep, you'll still have these problems. Solar Designer wrote a patch to 3.4p1 that fixes a lot of this stuff, but it requires additional pam changes that we don't have. I would like to integrate it since I'm not sure when 3.5 will be out and if it will fix these things, but it requires changing a lot of stuff. This whole openssh thing is turning into a big PITA. > [...] > > > Right. With privsep disabled, sshd will do all the pam stuff as root > > which should work just as it always did. > > The last problem _was_ with privsep disabled. It still does not work. > Sorry to ask but have you tested it? Chage user, set password change > time in the past and try to log in (using public key as in my case). Yup, you're absolutely right. The way privsep is written changes the way the whole pam interaction is done. Unfortunately, there is no easy way around this except to downgrade to a pre-3.3p1 version. =( -- MandrakeSoft Security; http://www.mandrakesecure.net/ "lynx -source http://www.freezer-burn.org/bios/vdanen.gpg | gpg --import" {GnuPG: 1024D/FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}
msg69753/pgp00000.pgp
Description: PGP signature
