> > On Thu Aug 01, 2002 at 03:16:35PM +0200, Oden Eriksson wrote: > > [...] > > > > > > Disable privsep is another way to do it. > > > > > > > > > > that means that sshd in default installation has large bug. If > > > > > > privsep > > > > > > > > results in complete user lockout, then _PLEASE_ disable it by > > > > > > default. > > > > > > > True, and this has been discussed earlier IIRC. > > > > > > Unfortunately disabling privsep still does not wotk. Now it fails > > > differently but still fails, at lest when using the same openssh > client > > > version. May be there is something else that must be changed? > > > > Hmmm, I thought this was only a server side thing... Does your > sshd_config > > look like this "UsePrivilegeSeparation no" on the server, and (silly > > question) have you restarted the sshd (stop|start)?. > > Right. privsep is only useful server-side. >
I have disabled it on server side. And I have restarted server after it. With privsep enabled it fails differently (just closes connection with different messages logged). [...] > Right. With privsep disabled, sshd will do all the pam stuff as root > which should work just as it always did. > The last problem _was_ with privsep disabled. It still does not work. Sorry to ask but have you tested it? Chage user, set password change time in the past and try to log in (using public key as in my case). -andrej
