PrivSep and SSH1 [Re: patch: contrib/redhat/openssh.spec updates for privsep]
Pekka Savola
pekkas at netcore.fi
Tue May 7 15:25:06 EST 2002
Hi,
By the way, I just noticed that PrivSep + SSH1 (+PAM) does not work.
This is probably known already.. but PrivSep + SSH1 works for OpenBSD, so
this may only be some bug.
Connecting log:
[...]
debug1: Host 'netcore.fi' is known and matches the RSA1 host key.
debug1: Found key in /home/oldwolf/.ssh/known_hosts:1
debug1: Encryption type: blowfish
debug1: Sent encrypted session key.
debug1: Installing crc compensation attack detector.
debug1: Received encrypted confirmation.
Connection closed by 193.94.160.1
Server log:
[...]
Connection from ::ffff:130.233.25.176 port 49395
debug1: Client protocol version 1.5; client software version OpenSSH_2.9 FreeBSD localisations 20020307
debug1: match: OpenSSH_2.9 FreeBSD localisations 20020307 pat OpenSSH_2.*,OpenSSH_3.0*,OpenSSH_3.1*
debug1: Local version string SSH-1.99-OpenSSH_3.2.1p1
debug2: Network child is on pid 2016
debug3: preauth child monitor started
debug3: mm_request_receive entering
debug3: privsep user:group 74:74
debug1: PAM establishing creds
debug1: PAM setcred failed[4]: System error <=== HMM??
debug1: Sent 768 bit server key and 1024 bit host key.
debug1: Encryption type: blowfish
debug3: mm_request_send entering: type 26
debug3: monitor_read: checking request 26
debug3: mm_request_receive_expect entering: type 27
debug3: mm_request_receive entering
debug3: mm_request_send entering: type 27
debug2: monitor_read: 26 used once, disabling now
debug3: mm_request_receive entering
debug3: mm_ssh1_session_id entering
debug3: mm_request_send entering: type 28
debug1: Received session key; encryption turned on.
debug3: monitor_read: checking request 28
debug3: mm_answer_sessid entering
debug2: monitor_read: 28 used once, disabling now
debug3: mm_request_receive entering
debug1: Installing crc compensation attack detector.
debug3: mm_getpwnamallow entering
debug3: mm_request_send entering: type 6
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM
debug3: mm_request_receive_expect entering: type 7
debug3: mm_request_receive entering
debug3: monitor_read: checking request 6
debug3: mm_answer_pwnamallow
debug3: Trying to reverse map address 130.233.25.176.
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
debug3: mm_request_send entering: type 7
debug2: monitor_read: 6 used once, disabling now
debug3: mm_request_receive entering
debug3: mm_start_pam entering
debug3: mm_request_send entering: type 35
debug1: Attempting authentication for pekkas.
debug3: mm_auth_password entering
debug3: mm_request_send entering: type 8
debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
debug3: mm_request_receive_expect entering: type 9
debug3: mm_request_receive entering
debug3: monitor_read: checking request 35
monitor_read: unsupported request: 35
debug1: Calling cleanup 0x806cee0(0x0)
One comment below.
On Tue, 7 May 2002, Damien Miller wrote:
> On Tue, 7 May 2002, Pekka Savola wrote:
>
> > Hello!
> >
> > Now that PrivSep stuff works for PAM too, I took the time to update
> > contrib/redhat/openssh.spec to create the sshd user and set up the
> > /var/empty dir when installing the packages.
> >
> > These have been done the Red Hat style, the uid/gif 74 is currently free
> > in RHL.
> >
> > The only minor issues I could think of were:
> > - I'm not sure if /var/empty should be owned by openssh-server package,
> > but rather a filesystems package or such..
>
> Agreed - I was thinking of making it /var/run/empty until such time as
> there is an officially blessed place for it.
A good idea.
--
Pekka Savola "Tell me of difficulties surmounted,
Netcore Oy not those you stumble over and fall"
Systems. Networks. Security. -- Robert Jordan: A Crown of Swords
More information about the openssh-unix-dev
mailing list