Re: Requirement for sshd account since 4.4p1
On Fri, Oct 27, 2006 at 10:36:59AM +0200, Corinna Vinschen wrote:[color=blue]
> there's a change made to 4.4p1, which gave some irritation on the Cygwin
> mailing list. It's a change from 20060907:
> - (djm) [sshd.c auth.c] Set up fakepw() with privsep uid/gid, so it can
> be used to drop privilege to; fixes Solaris GSSAPI crash reported by
> Magnus Abrante; suggestion and feedback dtucker@
> NB. this change will require that the privilege separation user must
> exist on all the time, not just when UsePrivilegeSeparation=yes[/color]
It was intended to be in the release notes too (as a rule, user-visible
changes like that should be) but it seems that it was dropped along the
> This fix for a Solaris specific problem forces everyone - even
> non-Solaris users - to have a sshd account on the system.[/color]
It's probably not just Solaris (any system where (seteuid(-1)) fails
would be affected) but that's where it was reported.
> This leaves behind users which have no admin access to their boxes and
> just want to start a private sshd which allows to logon with their own
That's one configuration I hadn't considered: running sshd entirely
nonprivileged when the privsep account doesn't exist.
Maybe we could only load privsep_pw if we're running privileged?
set*uid is not going to work if we're not.
> Looking into the source code it looks like this patch was never meant
> to be something other than temporary:
> struct passwd *
fakepw() has been there quite a while. It gets used when a user does not
exist in the passwd file so that many operations that would normally be
done can still be. This is in order to prevent leaking information to
an attacker by behaving differently for users that exist, are blocked
or don't exist.
Always having the privsep uid available is useful in other cases too
(eg PAM, bug #1215).
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
openssh-unix-dev mailing list