Suggestion: Disable PrivilegeSepartion by default

Rene Klootwijk rene at klootwijk.org
Fri Dec 13 23:55:37 EST 2002


> > - Incompatible with BSM auditing on Solaris
> 
> openssh has no BSM support.
Taken from Bugzilla Bug 125 description: "Note that if BSM is enabled,
the code disables (with a warning) the privilege separation feature.
This is because the audit functions must be done as root, which is
the parent of the two processes, and the data would not flow back down
into the child.  At least, I didn't see any easy way to do it (but I
didn't look all that hard)."
> 
> > - Incompatible with PAM password aging (for this reason??? 
> the code to 
> > handle password expiration has been disabled without ANY notice)
> 
> it's not only related to PrivilegeSeparation
What else plays a role? In version 3.1p1 password aging worked
perfectly.
And what about my other point that these kind of changes should be
noticed
very clearly with every new release in order to determine if any
problems
will occur after upgrading.
> 
> > - Causes core dumps on HP-UX
> 
> do you have patches?
> 
No I do not. I did not have the time to have a look at it.




More information about the openssh-unix-dev mailing list