Hi,
we recently updated our grid resources to Globus Toolkit 4.0.7 and also
installed the gsi_openssh_bundle-4.3 as described in the following
Globus Security Advisory:
http://www.globus.org/mail_archive/security-announce/2008/04/msg00000.html
$> gsissh -V
OpenSSH_5.0p1-hpn13v1 NCSA_GSSAPI_GPT_4.3 GSI, OpenSSL 0.9.7d 17 Mar 2004
In the default configuration with gsi_openssh_bundle-4.3
"UsePrivilegeSeparation" is disabled:
UsePrivilegeSeparation no
In our previous setup, we enabled "UsePrivilegeSeparation" within
$GLOBUS_LOCATION/etc/ssh/sshd_config in order to run the forked
ssh-processes within the context of the grid-user and not as root.
With the previous version of gsissh,
OpenSSH_4.7p1-hpn12v18 NCSA_GSSAPI_GPT_4.2 GSI, OpenSSL 0.9.7d 17 Mar 2004
the "UsePrivilegeSeparation yes"-option works.
However, using the "UsePrivilegeSeparation yes"-option after the
advisory resulted in non-terminating ssh-sessions on one machine and on
a different machine the gsisshd could not be started.
Is there a way in using the advisory (gsi_openssh_bundle-4.3) with
"UsePrivilegeSeparation" enabled?
Cheers,
Tobias
