From: Paul Kelly (longword at domain esatclear.ie)
Date: Tue 25 Jun 2002 - 10:56:24 IST
Paul Kelly wrote:
> PrivSep is NOT yet an acceptable solution by any stretch of the
> imagination. The Mandrake people have already found bugs in its
> interaction with PAM. For all we know it may expose us to further
> vulnerabilities on par with those in the commercial SSH 3.0 release
> (allowed anyone to ssh in to disabled accounts without a password). This
> code is out a WEEK! I for one wouldn't even consider running it on a
> production machine.
[Scary log message from OpenSSH 3.3p1 on linux 2.4]
I don't know how accurate this report is - it's from slashdot after all
- but this is the kind of thing that frightens me about new code in ssh.
There are also reports that PrivSep is incompatible with a 2.2 Linux
kernel, regardless of your sshd_config, due to how it uses mmap().
This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:17:30 GMT