Suggestion: Disable PrivilegeSepartion by default

Ben Lindstrom mouring at
Sat Dec 14 02:14:41 EST 2002

On Fri, 13 Dec 2002, Rene Klootwijk wrote:

> PrivilegeSeparation seems to be a valuable option, however at its
> current maturity level it is the cause of several problems. Just to name
> a few:
> - Incompatible with BSM auditing on Solaris
Never was offically supported.  Required 3rd party patch.

> - Incompatible with PAM password aging (for this reason??? the code to
> handle password expiration has been disabled without ANY notice)

Never was complete.  It was a partial implemention while a complete one
was being written.

> - Causes core dumps on HP-UX

Provide us information.  That bug report does us zero good...

> I think PrivilegeSeparation should be disabled by default, and not
> enabled by default as is the case right now. Even better is to make the
> PrivilegeSeparation support configurable at compile time, when you do
> not want it it will not be in the binary. As soon as the
> PrivilegeSeparation code it mature and does not cause all these
> problems, it can be enabled by default again.

PrivSep is more mature then any of the above things you are discussing was
broken.  Personally.. I won't advocate turning it off.

> Another thing, when features such as PAM password aging are no longer
> supported in new releases (e.g. because the code has been commented
> out), there should be a clear warning of this. In my case, disabling the
> PAM password expiry code, resulted in users not being able to change
> their password and access the system anymore, some weeks after we
> upgraded from openssh-3.1p1 to openssh-3.4p1.

Never fully worked to start with.  It was limited to a few PAM based OSes
under the right configuration.

Would be more helpful if you were to provide patches to fix this stuff.
Instead of whining.  We know our todo list, and that list takes time.

- Ben

> Regards,
> Rene.

More information about the openssh-unix-dev mailing list