Date: Mon, 6 Sep 2021 09:36:16 -0700 From: Benjamin Kaduk <kaduk@mit.edu> To: Ed Maste <emaste@freebsd.org> Cc: FreeBSD Hackers <freebsd-hackers@freebsd.org> Subject: Re: OpenSSH 8.7p1 update for the base system Message-ID: <20210906163616.GI96301@kduck.mit.edu> In-Reply-To: <CAPyFy2BRv5QC%2Bs89oTW5xfECM2bSjs0QCWQ19kRW=PXx0LdQbQ@mail.gmail.com> References: <CAPyFy2A390kS_C3g=Y9QhQcJ06z_FKUxXsNvi9g2CdWF24pukg@mail.gmail.com> <20210905040341.GG96301@kduck.mit.edu> <CAPyFy2BRv5QC%2Bs89oTW5xfECM2bSjs0QCWQ19kRW=PXx0LdQbQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Sep 05, 2021 at 10:42:45AM -0400, Ed Maste wrote: > On Sun, 5 Sept 2021 at 00:04, Benjamin Kaduk <kaduk@mit.edu> wrote: > > > > Hi Ed, > > > > I'm not sure whether this would be something for the release notes or not, > > but I believe that making privilege separation mandatory causes GSSAPI > > credential delegation to essentially not work. > > I think privilege separation became mandatory in 7.5p1, imported in > d93a896ef959 in 2017. Thus I believe this hasn't been functional for > quite some time; am I mistaken? That seems likely; I confess I didn't follow the versioning very closely across which machines I have to use a workaround on. > It should still be documented, even if it's well after the fact. I > think it's also worth trying to fix, although I'm not sure if I will > have time to work on it. Fair enough. I don't remember enough about what channels are available for communicating (sensitive!) information across the UID boundary in sshd, so I can't really speak to how hard it would be. Thanks, Ben
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20210906163616.GI96301>