Suggestion: Disable PrivilegeSepartion by default

Kevin Steves stevesk at
Sat Dec 28 11:43:49 EST 2002

On Fri, Dec 13, 2002 at 12:45:20PM +0100, Rene Klootwijk wrote:
> PrivilegeSeparation seems to be a valuable option, however at its
> current maturity level it is the cause of several problems. Just to name
> a few:
> - Incompatible with BSM auditing on Solaris

the Sun BSM patch hasn't been integrated due to lack of review,
testing and interest.

> - Incompatible with PAM password aging (for this reason??? the code to
> handle password expiration has been disabled without ANY notice)

it was in the ChangeLog, and was disabled due to issues with kerberos
PAM modules.

also, this is being worked on.

> - Causes core dumps on HP-UX

their pam_unix session module needs root in the trusted case.  i don't
think it was a core dump, just dumb code in that module.  if you have
HP support escalate to them, because they didn't seem interested in
privsep or fixing this at all.

> I think PrivilegeSeparation should be disabled by default, and not
> enabled by default as is the case right now. Even better is to make the
> PrivilegeSeparation support configurable at compile time, when you do
> not want it it will not be in the binary. As soon as the
> PrivilegeSeparation code it mature and does not cause all these
> problems, it can be enabled by default again.
> Another thing, when features such as PAM password aging are no longer
> supported in new releases (e.g. because the code has been commented
> out), there should be a clear warning of this. In my case, disabling the
> PAM password expiry code, resulted in users not being able to change
> their password and access the system anymore, some weeks after we
> upgraded from openssh-3.1p1 to openssh-3.4p1.

you have mentioned two vendors that "support" an openssh, please talk
to them.

More information about the openssh-unix-dev mailing list