OpenUsePrivilegeSeparation on Compaq V5.1A with C2/SIA Security

Darren Tucker dtucker at
Sat Dec 21 01:09:55 EST 2002

Ben Lindstrom wrote:
> No one has successfully show SIA + Privsep in any configuration.

Toni Harbaugh-Blackford mentioned earlier that SIA requires root and
wants to talk to the user on /dev/tty.

I have a newer version of my previous PAM + privsep patch that fixes the
controlling tty problem with the earlier patch. I'll post it shortly.
The same mechanism might be usable for SIA.

Basically it allocates the tty and passes a descriptor to the monitor
before the slave makes it the controlling tty. This allows the monitor
to fork a child to run do_pam_chauthtok() with the pty as the
controlling tty. The chauthtok child then exits and the slave is free to
acquire the controlling terminal and continue as normal.

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list