On fredagen den 9 augusti 2002 16.28 Vincent Danen wrote: > On Fri Aug 09, 2002 at 07:33:09PM -0400, Oden Eriksson wrote: > > [...] > > > > > > The last problem _was_ with privsep disabled. It still does not work. > > > > Sorry to ask but have you tested it? Chage user, set password change > > > > time in the past and try to log in (using public key as in my case). > > > > > > Yup, you're absolutely right. The way privsep is written changes the > > > way the whole pam interaction is done. > > > > > > Unfortunately, there is no easy way around this except to downgrade to > > > a pre-3.3p1 version. =( > > > > Or perhaps just ignore the privsep bsd shit and continue as before?, the > > huge security hole is gone anyway... > > That's the problem.. you can't. Disabling privsep doesn't remove it > from the code. The introduction of privsep changed some of the > fundamental code in openssh; as it's been pointed out before, password > aging just doesn't work period in openssh right now, regardless of > whether privsep is enabled or not. So, to continue on as before, > would be to downgrade openssh to a pre-privsep version.
Yes I just checked the code and it's pretty hard to remove it, and theo would probably not approve ;) I also checked in their bugzilla, and there's not much regarding this privsep bug at all in there from what I could tell. -- Regards // Oden Eriksson Deserve-IT Networks -> http://d-srv.com
