<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<TITLE>Message</TITLE>
<META content="MSHTML 6.00.2722.900" name=GENERATOR></HEAD>
<BODY>
<DIV><FONT face=Arial size=2><SPAN class=833563511-13122002>PrivilegeSeparation
seems to be a valuable option, however at its current maturity level it is the
cause of several problems. Just to name a few:</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=833563511-13122002>- Incompatible with
BSM auditing on Solaris</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=833563511-13122002>- Incompatible with
PAM password aging (for this reason??? the code to handle password expiration
has been disabled without ANY notice)</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=833563511-13122002>- Causes core dumps
on HP-UX</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=833563511-13122002></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=833563511-13122002>I think
PrivilegeSeparation should be disabled by default, and not enabled by default as
is the case right now. Even better is to make the PrivilegeSeparation support
configurable at compile time, when you do not want it it will not be in the
binary. As soon as the PrivilegeSeparation code it mature and does not cause all
these problems, it can be enabled by default again.</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=833563511-13122002></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=833563511-13122002>Another thing, when
features such as PAM password aging are no longer supported in new releases
(e.g. because the code has been commented out), there should be a clear warning
of this. In my case, disabling the PAM password expiry code, resulted in users
not being able to change their password and access the system anymore, some
weeks after we upgraded from openssh-3.1p1 to openssh-3.4p1.</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=833563511-13122002></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN
class=833563511-13122002>Regards,</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=833563511-13122002>Rene.</SPAN></FONT></DIV></BODY></HTML>