PrivSep and SSH1 [Re: patch: contrib/redhat/openssh.spec updates for privsep]

Pekka Savola pekkas at netcore.fi
Tue May 7 15:25:06 EST 2002


Hi,

By the way, I just noticed that PrivSep + SSH1 (+PAM) does not work.

This is probably known already.. but PrivSep + SSH1 works for OpenBSD, so 
this may only be some bug.

Connecting log:

[...]
debug1: Host 'netcore.fi' is known and matches the RSA1 host key.
debug1: Found key in /home/oldwolf/.ssh/known_hosts:1
debug1: Encryption type: blowfish
debug1: Sent encrypted session key.
debug1: Installing crc compensation attack detector.
debug1: Received encrypted confirmation.
Connection closed by 193.94.160.1

Server log:

[...]
Connection from ::ffff:130.233.25.176 port 49395
debug1: Client protocol version 1.5; client software version OpenSSH_2.9 FreeBSD localisations 20020307
debug1: match: OpenSSH_2.9 FreeBSD localisations 20020307 pat OpenSSH_2.*,OpenSSH_3.0*,OpenSSH_3.1*
debug1: Local version string SSH-1.99-OpenSSH_3.2.1p1
debug2: Network child is on pid 2016
debug3: preauth child monitor started
debug3: mm_request_receive entering
debug3: privsep user:group 74:74
debug1: PAM establishing creds
debug1: PAM setcred failed[4]: System error                    <=== HMM??
debug1: Sent 768 bit server key and 1024 bit host key.
debug1: Encryption type: blowfish
debug3: mm_request_send entering: type 26
debug3: monitor_read: checking request 26
debug3: mm_request_receive_expect entering: type 27
debug3: mm_request_receive entering
debug3: mm_request_send entering: type 27
debug2: monitor_read: 26 used once, disabling now
debug3: mm_request_receive entering
debug3: mm_ssh1_session_id entering
debug3: mm_request_send entering: type 28
debug1: Received session key; encryption turned on.
debug3: monitor_read: checking request 28
debug3: mm_answer_sessid entering
debug2: monitor_read: 28 used once, disabling now
debug3: mm_request_receive entering
debug1: Installing crc compensation attack detector.
debug3: mm_getpwnamallow entering
debug3: mm_request_send entering: type 6
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM
debug3: mm_request_receive_expect entering: type 7
debug3: mm_request_receive entering
debug3: monitor_read: checking request 6
debug3: mm_answer_pwnamallow
debug3: Trying to reverse map address 130.233.25.176.
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
debug3: mm_request_send entering: type 7
debug2: monitor_read: 6 used once, disabling now
debug3: mm_request_receive entering
debug3: mm_start_pam entering
debug3: mm_request_send entering: type 35
debug1: Attempting authentication for pekkas.
debug3: mm_auth_password entering
debug3: mm_request_send entering: type 8
debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
debug3: mm_request_receive_expect entering: type 9
debug3: mm_request_receive entering
debug3: monitor_read: checking request 35
monitor_read: unsupported request: 35
debug1: Calling cleanup 0x806cee0(0x0)


One comment below.

On Tue, 7 May 2002, Damien Miller wrote:
> On Tue, 7 May 2002, Pekka Savola wrote:
> 
> > Hello!
> > 
> > Now that PrivSep stuff works for PAM too, I took the time to update 
> > contrib/redhat/openssh.spec to create the sshd user and set up the 
> > /var/empty dir when installing the packages.
> > 
> > These have been done the Red Hat style, the uid/gif 74 is currently free 
> > in RHL.
> > 
> > The only minor issues I could think of were:
> >  - I'm not sure if /var/empty should be owned by openssh-server package, 
> > but rather a filesystems package or such..
> 
> Agreed - I was thinking of making it /var/run/empty until such time as
> there is an officially blessed place for it.

A good idea.

-- 
Pekka Savola                 "Tell me of difficulties surmounted,
Netcore Oy                   not those you stumble over and fall"
Systems. Networks. Security.  -- Robert Jordan: A Crown of Swords





More information about the openssh-unix-dev mailing list