privsep versus compression

Martin MOKREJŠ mmokrejs at natur.cuni.cz
Tue Sep 17 01:46:15 EST 2002 

Hi,
  I'm unable to get Kerberos4 authentication working with openssh-3.4p1.
I'm getting a message that privsep is not available on my platform (Irix
6.5.15) and another message stating that compression and privsep are
mutually exclusive. But, ssh decided to turn off compression, I think
because of servconf.c. I think it would be more usefull to have
compression enabled and disable privsep as the encryption is almost
useless when data is not compressed first. I think compression should
never be disabled otherwise kerberos will be also efectively disabled.
Any opinions?


  Below I'm just showing the section I'm talking about. It's not a PATCH
to be applied. ;)


diff -u -w -r openssh-3.2.3p1/servconf.c openssh/servconf.c
--- openssh-3.2.3p1/servconf.c  2002-05-15 23:37:34.000000000 +0200
+++ openssh/servconf.c  2002-09-05 06:35:15.000000000 +0200
[...]
@@ -250,9 +256,19 @@
        if (options->authorized_keys_file == NULL)
                options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;

-       /* Turn privilege separation _off_ by default */
+       /* Turn privilege separation on by default */
        if (use_privsep == -1)
-               use_privsep = 0;
+               use_privsep = 1;
+
+#ifndef HAVE_MMAP
+       if (use_privsep && options->compression == 1) {
+               error("This platform does not support both privilege "
+                   "separation and compression");
+               error("Compression disabled");
+               options->compression = 0;
+       }
+#endif
+
 }
[...]



diff -u -w -r openssh-3.2.3p1/session.c openssh/session.c
--- openssh-3.2.3p1/session.c   2002-05-13 02:48:58.000000000 +0200
+++ openssh/session.c   2002-09-04 08:45:10.000000000 +0200
[...]
@@ -165,8 +252,8 @@
        Session *s;
        char *command;
        int success, type, screen_flag;
-       int compression_level = 0, enable_compression_after_reply = 0;
-       u_int proto_len, data_len, dlen;
+       int enable_compression_after_reply = 0;
+       u_int proto_len, data_len, dlen, compression_level = 0;

        s = session_new();
        s->authctxt = authctxt;
@@ -192,6 +279,10 @@
                                    compression_level);
                                break;
                        }
+                       if (!options.compression) {
+                               debug2("compression disabled");
+                               break;
+                       }
                        /* Enable compression after we have responded with SUCCESS. */
                        enable_compression_after_reply = 1;
                        success = 1;
[...]



-- 
Martin Mokrejs <mmokrejs at natur.cuni.cz>, <m.mokrejs at gsf.de>
PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs
MIPS / Institute for Bioinformatics <http://mips.gsf.de>
GSF - National Research Center for Environment and Health
Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany
tel.: +49-89-3187 3683 , fax: +49-89-3187 3585

More information about the openssh-unix-dev mailing list