(Reply-To set to openssh-unix-dev only)
Dean Anderson wrote:
On Mon, 26 Jan 2004, Jeffrey Hutzelman wrote:
Sadly, this doesn't make any difference. OpenSSH 3.7.1 and later run PAM
session modules in a subprocess unrelated to the eventual user shell,
That is not correct. Even with privsep, the
Putty 5.3 didn't work with the afs-supplied afs pam module. and 3.7.1p2...
but maybe this can be fixed. Certainly, its a step.
My point though, is that the openssh should use the system (pam) routines
if it doesn't have any other method negotiated. Presently, it will only
try to directly check th
Really? Is there any links to what was avoided? I'd like to look at
these in detail before I concede that anything of values has been
demonstrated. I've heard these claims before, but I could not find any
substantiating details---the claims are dubious at best.
--Dean
On Tue,
On Tue, 27 Jan 2004 18:58:36 -0500 (EST)
Dean Anderson <[EMAIL PROTECTED]> wrote:
> Nope. OpenSSH 3.7.1p1 works for me with privsep turned off. When privsep
> is turned off, there is no subprocess. 3.7.1p1 has some additional
> breakage, in that if your ssh client doesn't support 'interactive/pam
On Mon, 26 Jan 2004, Jeffrey Hutzelman wrote:
> On Monday, January 26, 2004 17:17:46 -0500 Dean Anderson <[EMAIL PROTECTED]>
> wrote:
>
> > On Mon, 26 Jan 2004, Jeffrey Hutzelman wrote:
> >
> >> Worse, it would not solve the problem. The trouble here is not that AFS
> >> tokens are stored in a
On Mon, 26 Jan 2004, Jeffrey Hutzelman wrote:
> Worse, it would not solve the problem. The trouble here is not that AFS
> tokens are stored in a kernel data structure instead of a file. It's that
> they are indexed by a value which must be set on login, inherited from each
> process by its ch
Jeffrey Hutzelman wrote:
On Monday, January 26, 2004 17:17:46 -0500 Dean Anderson <[EMAIL PROTECTED]>
wrote:
On Mon, 26 Jan 2004, Jeffrey Hutzelman wrote:
Worse, it would not solve the problem. The trouble here is not that AFS
tokens are stored in a kernel data structure instead of a file. It'
Dean Anderson wrote:
> Right. And there is an easy solution: Turn off Privsep. A process that
> creates new user sessions needs root privileges, and those privileges
> cannot be given away prematurely to "improve security". Privsep is just a
> stupid idea for some programs. Probably for most pro
On Monday, January 26, 2004 17:17:46 -0500 Dean Anderson <[EMAIL PROTECTED]>
wrote:
On Mon, 26 Jan 2004, Jeffrey Hutzelman wrote:
Worse, it would not solve the problem. The trouble here is not that AFS
tokens are stored in a kernel data structure instead of a file. It's
that they are indexed
On Monday, January 26, 2004 11:23:34 -0800 "Henry B. Hotz"
<[EMAIL PROTECTED]> wrote:
Isn't the reason this keeps coming up that AFS client doesn't (can't?)
behave like a normal Kerberos application and just get it's own service
ticket when it needs one (based on an existing tgt)? The real rea
10 matches
Mail list logo
