[OpenAFS-devel] Re: OpenSSH, OpenAFS, Heimdal Kerberos and MIT Kerberos

Stephen Smoogen smoogen at lanl.gov
Sun Feb 1 15:24:40 EST 2004


While you may be from Missouri, you will either have to take their word 
for it.. or go off and test it yourself. Get the older versions of ssh 
onto a machine, and get one of the ssh-xploits from a hacker site. Turn 
on privsep... watch it segfault and exit. Turn off privsep.. get root.

Sorry for feeding the trolls.

On Tue, 27 Jan 2004, Dean Anderson wrote:

>Really?  Is there any links to what was avoided?  I'd like to look at
>these in detail before I concede that anything of values has been
>demonstrated.  I've heard these claims before, but I could not find any 
>substantiating details---the claims are dubious at best.
>
>		--Dean
>
>On Tue, 27 Jan 2004, Damien Miller wrote:
>
>> Dean Anderson wrote:
>> > Right. And there is an easy solution: Turn off Privsep.  A process that
>> > creates new user sessions needs root privileges, and those privileges
>> > cannot be given away prematurely to "improve security".  Privsep is just a
>> > stupid idea for some programs.  Probably for most programs...
>> 
>> Privsep has avoided the last two real security problems found in
>> portable OpenSSH, and others before that. The security gain has
>> already been demonstrated.
>> 
>> -d
>> 
>
>_______________________________________________
>openssh-unix-dev mailing list
>openssh-unix-dev at mindrot.org
>http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>

-- 
Stephen John Smoogen		smoogen at lanl.gov
Los Alamos National Lab  CCN-5 Sched 5/40  PH: 4-0645
Ta-03 SM-1498 MailStop B255 DP 10S  Los Alamos, NM 87545
-- So shines a good deed in a weary world. = Willy Wonka --




More information about the openssh-unix-dev mailing list