From: Bob Vickers (bobv@cs.rhul.ac.uk)
Date: Tue Jun 25 2002 - 11:44:23 EDT
Dear All,
The picture is still rather muddy but I'll summarise what I have been
told so far. Thanks go to several people who replied; I won't give
their names because it has been suggested to me that this could
conceivably compromise their security (unlikely I think, but better
safe than sorry).
The general message was that the OpenSSH Privilege Separation feature
definitely does not work at present if C2 security is enabled, but
reports differ on base security systems. Personally I haven't even
managed to compile the latest version yet, but I'll experiment with
compiler switches. Responses include:
(1)
I was unable to get the priv-sep thing to work under Tru64 version
5.1A; we're running slightly-enhanced security (shadow passwords).
Trying to log in gives the discouraging messages that the user account
is inactive and about not being able to access the TCB. Things work OK
(so far) with "UsePrivilegeSeparation no" in the sshd_config file.
(2)
I am at this very moment, trying to install openSSH 3.3p1 on a TRU64
4.0F and so far it does not look to promising. In short : it does not
work. I am still trying to figure out what the problem is.
(3)
I built OpenSSH 4.4p1 [I think he means 3.3p1] last night on Tru64
5.1A, after receiving the same notice. Although I haven't experimented
very much, it appears that the provsep feature doesn't work on
Tru64. sshd does work normally if privsep is switched off. I briefly
checked the archives of the openssh developers list, and the Tru64
maintainer says he hasn't been able to give privsep more than a quick
glance so far, and not much help/interest is forthcoming from
Compaq/HP (probably because of their free download of the ssh inc
product). I know I'd still rather have OpenSSH...
(4)
I believe that privsep will work with base security (but I don't have a
base security system here to test). Privsep will _not_ work at this
time with enhanced security.
I've got some time today to try to get privsep working with enhanced
security, so I hope to get it working and get a patch in before the next
release. AFAIK I'm the only person working on it though (at least no
one else has spoken up on openssh-unix-dev and almost); any help would
be welcome. I don't claim to be "the expert" or anything - I just work
on it because I use (and need) OpenSSH.
Regards,
Bob
-- ============================================================== Bob Vickers R.Vickers@cs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London WWW: http://www.cs.rhul.ac.uk/home/bobv
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:48:44 EDT