As some of you have already noticed and reported, ssh-agent doesn't work quite right when spawned by pam_ssh after the OpenSSH upgrade earlier this week. This is caused by two factors. The first factor is that ssh-agent has become quite pedantic about its operating conditions, in an effort to prevent potential security problems. The second factor is that the credential manipulations pam_ssh does before spawning the agent are slightly wrong - not sufficiently wrong to pose a serious threat, but sufficiently wrong to make ssh-agent suspicious.
In addition to that, there seems to be a problem with the credential manipulation functions I wrote for OpenPAM (which are also used by pam_ssh in -STABLE) which would cause pam_ssh to fail when invoked by a privsep-enabled sshd. This doesn't seem to be much of a problem as few or no users have pam_ssh in their sshd policy (it doesn't make much sense, does it?). I knew about the first problem before I upgraded OpenSSH in -STABLE, because it had been reported by -CURRENT users and discussed on one of the OpenSSH developer mailing lists. I discovered the second problem while trying out potential workarounds for the first one. I am working on resolving both issues, and hope to have a solution ready during the weekend. I would also like to apologize for the inconvenience caused by my forgetfulness. DES -- Dag-Erling Smorgrav - [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-stable" in the body of the message
