Date: 03 Jul 2002 00:41:27 +0200 From: Dag-Erling Smorgrav <des@ofug.org> To: Mikhail Teterin <mi+mx@aldan.algebra.com> Cc: security@FreeBSD.org Subject: Re: two sshd processes per session? Message-ID: <xzpn0t9ah2g.fsf@flood.ping.uio.no> In-Reply-To: <200207021829.44485.mi%2Bmx@aldan.algebra.com> References: <200207021141.34021.mi%2Bmx@aldan.algebra.com> <xzpznx9ajxp.fsf@flood.ping.uio.no> <200207021829.44485.mi%2Bmx@aldan.algebra.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Mikhail Teterin <mi+mx@aldan.algebra.com> writes: > What exactly will break? At least, the w(1)'s output is correct after > the disconnection -- shell is responsible for that. What else? pam_close_session() will not run, for one. This could mean for instance that locally cached copies of Kerberos tickets you obtained when you logged in won't be removed. I'm not sure that's a security risk, but it could fill up your /tmp after a while. Also, protocol version 2 allows multiple ptys per connection (i.e. you can connect to an ssh server and open a shell, then later open a second shell through the same TCP connection). OpenSSH's ssh client doesn't support this, but many other clients do (PuTTY, for instance), and the OpenSSH server does. If you try to do this after having killed the monitor, not only will you not get a second shell but the unprivileged process will probably (I haven't checked the source) log an error and abort, killing your first shell and any tunneled connections you might have. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzpn0t9ah2g.fsf>