Hello Tobias,Privilege separation is enabled by default if the sshd user and the /var/empty directory exists and the /var/empty directory is owned by root. More information about OpenSSH's privilege separation is available at:
http://www.citi.umich.edu/u/provos/ssh/privsep.htmlOn a Debian system, I just did a clean install of GT 4.0.7 then installed the gsi_openssh_bundle-4.3-src.tar.gz update. My default $GLOBUS_LOCATION/etc/ssh/sshd_config contained:
UsePrivilegeSeparation yesIn my tests, gsissh, gsisftp, gsiscp, etc., all appeared to work as expected using the clients and server I just installed.
I see only one entry in the OpenSSH ChangeLog between 4.7 and 5.0 related to privsep:
- (dtucker) [auth-pam.c monitor.c session.c sshd.c] Bug #926: Move pam_open_session and pam_close_session into the privsep monitor, which will ensure that pam_session_close is called as root. Patch from Tomas Mraz.Could the problem you're seeing be related to the PAM modules you have configured?
When you see non-terminating sessions, what is the client/server verbose/debug output? When the sshd doesn't start, is there an error message?
Please refer to the troubleshooting instructions at: http://grid.ncsa.uiuc.edu/ssh/ts_client.html http://grid.ncsa.uiuc.edu/ssh/ts_server.htmlThat last link recommends testing with 'UsePrivilegeSeparation no'. In your case, I suggest testing both with 'UsePrivilegeSeparation no' and 'UsePrivilegeSeparation yes' and posting the results so we can look for the difference that is causing the problem.
Regards, Jim Tobias Scholl wrote:
Hi,we recently updated our grid resources to Globus Toolkit 4.0.7 and also installed the gsi_openssh_bundle-4.3 as described in the following Globus Security Advisory:http://www.globus.org/mail_archive/security-announce/2008/04/msg00000.html $> gsissh -V OpenSSH_5.0p1-hpn13v1 NCSA_GSSAPI_GPT_4.3 GSI, OpenSSL 0.9.7d 17 Mar 2004In the default configuration with gsi_openssh_bundle-4.3 "UsePrivilegeSeparation" is disabled:UsePrivilegeSeparation noIn our previous setup, we enabled "UsePrivilegeSeparation" within $GLOBUS_LOCATION/etc/ssh/sshd_config in order to run the forked ssh-processes within the context of the grid-user and not as root.With the previous version of gsissh, OpenSSH_4.7p1-hpn12v18 NCSA_GSSAPI_GPT_4.2 GSI, OpenSSL 0.9.7d 17 Mar 2004 the "UsePrivilegeSeparation yes"-option works.However, using the "UsePrivilegeSeparation yes"-option after the advisory resulted in non-terminating ssh-sessions on one machine and on a different machine the gsisshd could not be started.Is there a way in using the advisory (gsi_openssh_bundle-4.3) with "UsePrivilegeSeparation" enabled?Cheers, Tobias
smime.p7s
Description: S/MIME Cryptographic Signature
