On Mon, 24 Jun 2002, Rick Moen wrote:
> The problem is that (1) de Raadt says enabling privilege separation
> "may break some ssh functionality". de Raadt mentions PAM as a possible
> problem area, and some have interpreted this as meaning that priv sep
> breaks PAM. _But_ understand that de Raadt is just generically
> anti-PAM: Nothing he's said has claimed specific breakage in that area.
> (2) Since priv sep is very new code, it might not work as designed. (3)
> The implication of all this is that the bad guys _may_ already have a
> not-publicly-known exploit and been using it for some time.
>
> I've been running 3.3p on my Debian-testing (3.0 = woody) systems -- and
> with priv sep enabled -- since this morning, with no problems so far.
> Note that Debian 2.2 (I think?) and later has used PAM.
Just a sidebar here: from the mandrakesoft camp, Vincent Danen has indeed
encountered some problems with PAM and the latest openssh.
Quoting:
==================================================
I don't think it will. So far it seems to work really good except
there is a problem with the PAM support... currently if you have an
expired password, it will just punt you without giving you an
opportunity to change your password. This is a known bug in 3.3, but
no good workaround/solution exists yet.
==================================================
So there seems to be at least one issue with PAM.
> 4. Add this new line to /etc/ssh/sshd_config:
>
> UsePrivilegeSeparation yes
And as i said, when running on kernel 2.2.x
Compression no
(simply ommitting the compression setting is not good enough as the
default is compression enabled)
_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
To subscribe to the Linux Newbies' List: send "subscribe" in the body to
[EMAIL PROTECTED]
