From owner-freebsd-stable  Thu Feb  6 23:56: 8 2003
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B5DAE37B401
	for <stable@freebsd.org>; Thu,  6 Feb 2003 23:56:06 -0800 (PST)
Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8860F43FCB
	for <stable@freebsd.org>; Thu,  6 Feb 2003 23:56:05 -0800 (PST)
	(envelope-from des@ofug.org)
Received: by flood.ping.uio.no (Postfix, from userid 2602)
	id 518FC5371; Fri,  7 Feb 2003 08:56:03 +0100 (CET)
X-URL: http://www.ofug.org/~des/
X-Disclaimer: The views expressed in this message do not necessarily
  coincide with those of any organisation or company with
  which I am or have been affiliated.
To: stable@freebsd.org
Subject: Problems with pam_ssh(8) and ssh-agent(1) after the OpenSSH upgrade
From: Dag-Erling Smorgrav <des@ofug.org>
Date: Fri, 07 Feb 2003 08:56:02 +0100
Message-ID: <xzpk7gcplrh.fsf@flood.ping.uio.no>
User-Agent: Gnus/5.090014 (Oort Gnus v0.14) Emacs/21.2 (i386--freebsd)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

As some of you have already noticed and reported, ssh-agent doesn't
work quite right when spawned by pam_ssh after the OpenSSH upgrade
earlier this week.  This is caused by two factors.  The first factor
is that ssh-agent has become quite pedantic about its operating
conditions, in an effort to prevent potential security problems.  The
second factor is that the credential manipulations pam_ssh does before
spawning the agent are slightly wrong - not sufficiently wrong to pose
a serious threat, but sufficiently wrong to make ssh-agent suspicious.

In addition to that, there seems to be a problem with the credential
manipulation functions I wrote for OpenPAM (which are also used by
pam_ssh in -STABLE) which would cause pam_ssh to fail when invoked by
a privsep-enabled sshd.  This doesn't seem to be much of a problem as
few or no users have pam_ssh in their sshd policy (it doesn't make
much sense, does it?).

I knew about the first problem before I upgraded OpenSSH in -STABLE,
because it had been reported by -CURRENT users and discussed on one of
the OpenSSH developer mailing lists.  I discovered the second problem
while trying out potential workarounds for the first one.  I am
working on resolving both issues, and hope to have a solution ready
during the weekend.  I would also like to apologize for the
inconvenience caused by my forgetfulness.

DES
-- 
Dag-Erling Smorgrav - des@ofug.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message