OpenSSH and UsePrivilegeSeparation
Ray Van Dolson
rayvd at corp.digitalpath.net
Mon May 3 16:15:39 UTC 2004
I'm setting up a bunch of Fedora-based servers that will be
authenticating logins via pam_ldap (PAM). I've gotten things
running nicely, but ran into a small probelm with OpenSSH. When
a user who hasn't logged into a certain box before logs in and
his home directory doesn't exist, I use the pam_mkhomedir.so
module to create the directory. However, this will barf on
OpenSSH <= 3.7 unless Privilege Separation is disabled since
after authentication is complete, the process is running as the
'ssh' user and can't write to /home (and couldn't change the
owner of the new directory to the user I want in any case).
Work-around is to turn off privilege separation, but I'm not sure
how good of an idea this is... the other option would be to upgrade
to OpenSSH 3.7.x where this problem is no longer an issue.
Any plans to bump Fedora's OpenSSH to 3.7? Doesn't appear to be
the case in C2. Maybe I should roll my own RPM's or just modify
my Kickstart configuration to turn off privilege separation on
all the boxes when they're set up...
Just looking for some opinions.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 3031 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20040503/0b866e95/attachment-0001.bin>
More information about the fedora-list
mailing list