Paul Kelly wrote:
> PrivSep is NOT yet an acceptable solution by any stretch of the
> imagination. The Mandrake people have already found bugs in its
> interaction with PAM. For all we know it may expose us to further
> vulnerabilities on par with those in the commercial SSH 3.0 release
> (allowed anyone to ssh in to disabled accounts without a password). This
> code is out a WEEK! I for one wouldn't even consider running it on a
> production machine.
http://slashdot.org/comments.pl?sid=34775&cid=3760733
[Scary log message from OpenSSH 3.3p1 on linux 2.4]
I don't know how accurate this report is - it's from slashdot after all
- but this is the kind of thing that frightens me about new code in ssh.
There are also reports that PrivSep is incompatible with a 2.2 Linux
kernel, regardless of your sshd_config, due to how it uses mmap().
Paul.
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
