On Sun Aug 11, 2002 at 02:26:39PM -0400, Oden Eriksson wrote: [...] > > > Or perhaps just ignore the privsep bsd shit and continue as before?, the > > > huge security hole is gone anyway... > > > > That's the problem.. you can't. Disabling privsep doesn't remove it > > from the code. The introduction of privsep changed some of the > > fundamental code in openssh; as it's been pointed out before, password > > aging just doesn't work period in openssh right now, regardless of > > whether privsep is enabled or not. So, to continue on as before, > > would be to downgrade openssh to a pre-privsep version. > > Yes I just checked the code and it's pretty hard to remove it, and theo would > probably not approve ;)
No, Theo wouldn't approve and would end up bitching me out (again). =) > I also checked in their bugzilla, and there's not much regarding this privsep > bug at all in there from what I could tell. There should be a whole slew, but probably listed under various problems with pam. This is definately a known issue. Once I have a little extra time, I will start fiddling with the cvs version of openssh and see if they are actually fixing this stuff. -- MandrakeSoft Security; http://www.mandrakesecure.net/ "lynx -source http://www.freezer-burn.org/bios/vdanen.gpg | gpg --import" {GnuPG: 1024D/FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}
msg70248/pgp00000.pgp
Description: PGP signature