Date: Fri, 07 Feb 2003 08:56:02 +0100 From: Dag-Erling Smorgrav <des@ofug.org> To: stable@freebsd.org Subject: Problems with pam_ssh(8) and ssh-agent(1) after the OpenSSH upgrade Message-ID: <xzpk7gcplrh.fsf@flood.ping.uio.no>
next in thread | raw e-mail | index | archive | help
As some of you have already noticed and reported, ssh-agent doesn't work quite right when spawned by pam_ssh after the OpenSSH upgrade earlier this week. This is caused by two factors. The first factor is that ssh-agent has become quite pedantic about its operating conditions, in an effort to prevent potential security problems. The second factor is that the credential manipulations pam_ssh does before spawning the agent are slightly wrong - not sufficiently wrong to pose a serious threat, but sufficiently wrong to make ssh-agent suspicious. In addition to that, there seems to be a problem with the credential manipulation functions I wrote for OpenPAM (which are also used by pam_ssh in -STABLE) which would cause pam_ssh to fail when invoked by a privsep-enabled sshd. This doesn't seem to be much of a problem as few or no users have pam_ssh in their sshd policy (it doesn't make much sense, does it?). I knew about the first problem before I upgraded OpenSSH in -STABLE, because it had been reported by -CURRENT users and discussed on one of the OpenSSH developer mailing lists. I discovered the second problem while trying out potential workarounds for the first one. I am working on resolving both issues, and hope to have a solution ready during the weekend. I would also like to apologize for the inconvenience caused by my forgetfulness. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzpk7gcplrh.fsf>