As some of you have already noticed and reported, ssh-agent doesn't
work quite right when spawned by pam_ssh after the OpenSSH upgrade
earlier this week. This is caused by two factors. The first factor
is that ssh-agent has become quite pedantic about its operating
conditions, in an effort to prevent potential security problems. The
second factor is that the credential manipulations pam_ssh does before
spawning the agent are slightly wrong - not sufficiently wrong to pose
a serious threat, but sufficiently wrong to make ssh-agent suspicious.
In addition to that, there seems to be a problem with the credential
manipulation functions I wrote for OpenPAM (which are also used by
pam_ssh in -STABLE) which would cause pam_ssh to fail when invoked by
a privsep-enabled sshd. This doesn't seem to be much of a problem as
few or no users have pam_ssh in their sshd policy (it doesn't make
much sense, does it?).
I knew about the first problem before I upgraded OpenSSH in -STABLE,
because it had been reported by -CURRENT users and discussed on one of
the OpenSSH developer mailing lists. I discovered the second problem
while trying out potential workarounds for the first one. I am
working on resolving both issues, and hope to have a solution ready
during the weekend. I would also like to apologize for the
inconvenience caused by my forgetfulness.
DES
--
Dag-Erling Smorgrav - [EMAIL PROTECTED]
To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-stable in the body of the message