privsep versus compression
Ben Lindstrom
mouring at etoh.eviladmin.org
Tue Sep 17 02:05:05 EST 2002
Please look at the -cvs tree. We have handled most of the mmap() issues
for any OS that is written in the last 6 years.
- Ben
On Mon, 16 Sep 2002, [iso-8859-2] Martin MOKREJ© wrote:
> Hi,
> I'm unable to get Kerberos4 authentication working with openssh-3.4p1.
> I'm getting a message that privsep is not available on my platform (Irix
> 6.5.15) and another message stating that compression and privsep are
> mutually exclusive. But, ssh decided to turn off compression, I think
> because of servconf.c. I think it would be more usefull to have
> compression enabled and disable privsep as the encryption is almost
> useless when data is not compressed first. I think compression should
> never be disabled otherwise kerberos will be also efectively disabled.
> Any opinions?
>
>
> Below I'm just showing the section I'm talking about. It's not a PATCH
> to be applied. ;)
>
>
> diff -u -w -r openssh-3.2.3p1/servconf.c openssh/servconf.c
> --- openssh-3.2.3p1/servconf.c 2002-05-15 23:37:34.000000000 +0200
> +++ openssh/servconf.c 2002-09-05 06:35:15.000000000 +0200
> [...]
> @@ -250,9 +256,19 @@
> if (options->authorized_keys_file == NULL)
> options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
>
> - /* Turn privilege separation _off_ by default */
> + /* Turn privilege separation on by default */
> if (use_privsep == -1)
> - use_privsep = 0;
> + use_privsep = 1;
> +
> +#ifndef HAVE_MMAP
> + if (use_privsep && options->compression == 1) {
> + error("This platform does not support both privilege "
> + "separation and compression");
> + error("Compression disabled");
> + options->compression = 0;
> + }
> +#endif
> +
> }
> [...]
>
>
>
> diff -u -w -r openssh-3.2.3p1/session.c openssh/session.c
> --- openssh-3.2.3p1/session.c 2002-05-13 02:48:58.000000000 +0200
> +++ openssh/session.c 2002-09-04 08:45:10.000000000 +0200
> [...]
> @@ -165,8 +252,8 @@
> Session *s;
> char *command;
> int success, type, screen_flag;
> - int compression_level = 0, enable_compression_after_reply = 0;
> - u_int proto_len, data_len, dlen;
> + int enable_compression_after_reply = 0;
> + u_int proto_len, data_len, dlen, compression_level = 0;
>
> s = session_new();
> s->authctxt = authctxt;
> @@ -192,6 +279,10 @@
> compression_level);
> break;
> }
> + if (!options.compression) {
> + debug2("compression disabled");
> + break;
> + }
> /* Enable compression after we have responded with SUCCESS. */
> enable_compression_after_reply = 1;
> success = 1;
> [...]
>
>
>
> --
> Martin Mokrejs <mmokrejs at natur.cuni.cz>, <m.mokrejs at gsf.de>
> PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs
> MIPS / Institute for Bioinformatics <http://mips.gsf.de>
> GSF - National Research Center for Environment and Health
> Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany
> tel.: +49-89-3187 3683 , fax: +49-89-3187 3585
>
>
> _______________________________________________
> openssh-unix-dev at mindrot.org mailing list
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>
More information about the openssh-unix-dev
mailing list