New PAM code landing (at last)

Damien Miller djm at
Sat May 10 21:51:57 EST 2003

>>We are a long way from the next release, so we have plenty of time to
>>make this work properly. Doing this will require a lot of testing, so I
>>encourage everyone on a PAM system to try out the new code and report
>>back ASAP.
> Are there any plans to fix the "PAM needs to run as root in the session
> stage"
> as raised by me a few weeks ago.
> I'm no expert on PAM and I understand the security
> implications but surely as someone mentioned earlier support for PAM is
> effectively
> broken without this.

I think that this may be very difficult to do with privsep, as we have
long since given up root privs by the time we start the session. Of
course, I'd like to be proved wrong...

> I know this is incredibly useful for ISPs who want to chroot people
> who login (as we do).

Have you tried rssh, or one of the chrooting wrappers?

This may be an inconvenience, but IMO the security benefit of privsep is
worth it.


More information about the openssh-unix-dev mailing list