On Thu Aug 01, 2002 at 03:16:35PM +0200, Oden Eriksson wrote: [...] > > > > > Disable privsep is another way to do it. > > > > > > > > that means that sshd in default installation has large bug. If > > > > privsep > > > > > > results in complete user lockout, then _PLEASE_ disable it by > > > > default. > > > > > True, and this has been discussed earlier IIRC. > > > > Unfortunately disabling privsep still does not wotk. Now it fails > > differently but still fails, at lest when using the same openssh client > > version. May be there is something else that must be changed? > > Hmmm, I thought this was only a server side thing... Does your sshd_config > look like this "UsePrivilegeSeparation no" on the server, and (silly > question) have you restarted the sshd (stop|start)?.
Right. privsep is only useful server-side. > > bor@cooker% ssh iap-pxy-mow1 > > Enter passphrase for key '/home/bor/.ssh/id_rsa': > > Enter passphrase for key '/home/bor/.ssh/id_dsa': > > bor@iap-pxy-mow1's password: > > Permission denied, please try again. > > bor@iap-pxy-mow1's password: > > Received disconnect from x.x.x.x: 2: Too many authentication failures > > for bor > > ssh -vvv is your friend. I think an ssh key login will override this, have > you tried this? IIRC, no it won't. ssh keys and password auth still use the same code as far as PAM is concerned (PAM is trying to determine if the user has credentials to login; doesn't really matter about the password stuff). The problem is that when privsep does it's authentication, it is running as the sshd user with no privs. pam doesn't really like this. And especially not when a password change is required. I'll see what I can come up with after I finish rebuilding openssl for updates with the ASN.1 fix (that is top priority). Once I've done that, I'll see what I can do about this. > >From what I know it doesn't help to pass any privsep stuff using the client. > > Well..., I don't know much about this other than one must keep away from > passwd aging (or privsep) until the ssh pam bug is fixed. Sorry... Right. With privsep disabled, sshd will do all the pam stuff as root which should work just as it always did. -- MandrakeSoft Security; http://www.mandrakesecure.net/ "lynx -source http://www.freezer-burn.org/bios/vdanen.gpg | gpg --import" {GnuPG: 1024D/FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}
msg69269/pgp00000.pgp
Description: PGP signature
