From owner-freebsd-security Tue Jun 25 3:53:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from citi.umich.edu (citi.umich.edu [141.211.133.111]) by hub.freebsd.org (Postfix) with ESMTP id 1CF2637B403 for ; Tue, 25 Jun 2002 03:53:13 -0700 (PDT) Received: by citi.umich.edu (Postfix, from userid 104123) id 84D5F207C1; Tue, 25 Jun 2002 06:53:12 -0400 (EDT) Date: Tue, 25 Jun 2002 06:53:12 -0400 From: Niels Provos To: Brian Behlendorf Cc: security@freebsd.org Subject: Re: UseLogin and openssh-portable priv separation Message-ID: <20020625105312.GH15772@citi.citi.umich.edu> References: <20020624164234.E10398-100000@yez.hyperreal.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020624164234.E10398-100000@yez.hyperreal.org> User-Agent: Mutt/1.3.27i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jun 24, 2002 at 04:49:23PM -0700, Brian Behlendorf wrote: > I prefer to use UseLogin in sshd_config so I can pick some login.conf > settings. It appears I needed to turn that off in order to get the > privilege separation in openssh 3.3 to work, where there's a much smaller > segment of code that runs root rather than the whole sshd child. Anyone > know whether it's possible to reconcile the two? Or a reliable way to set > the MAIL variable for all users, independent of the shells they're > using, which is all I care about at this point. If you do UseLogin, that means that you will loose privilege separation after authentication. The Pre-authentication phase is still privilege separated even with UseLogin enabled. When I developed privilege separation for OpenSSH, one intent was to make it work as well as possible even if not all necessary features are available by an operating system. So, if you do not have anonymous mmaps, you can turn off compression. if you do not have file descriptor passing, you loose privilege separation after successful authentication. Because of the way that login works, you only get pre-authentication privilege separated. The web page talks some more about that. Niels. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message