OpenSSH and UsePrivilegeSeparation
Sean Kennedy
skennedy at tpno.org
Tue May 4 17:10:19 UTC 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ray Van Dolson wrote:
|I'm setting up a bunch of Fedora-based servers that will be
|authenticating logins via pam_ldap (PAM). I've gotten things
|running nicely, but ran into a small probelm with OpenSSH. When
|a user who hasn't logged into a certain box before logs in and
|his home directory doesn't exist, I use the pam_mkhomedir.so
|module to create the directory. However, this will barf on
|OpenSSH <= 3.7 unless Privilege Separation is disabled since
|after authentication is complete, the process is running as the
|'ssh' user and can't write to /home (and couldn't change the
|owner of the new directory to the user I want in any case).
|
|Work-around is to turn off privilege separation, but I'm not sure
|how good of an idea this is... the other option would be to upgrade
|to OpenSSH 3.7.x where this problem is no longer an issue.
|
|Any plans to bump Fedora's OpenSSH to 3.7? Doesn't appear to be
|the case in C2. Maybe I should roll my own RPM's or just modify
|my Kickstart configuration to turn off privilege separation on
|all the boxes when they're set up...
|
|Just looking for some opinions.
Are uids consistent throughout the boxes? Why not just setup a homes
server, and share out the /home directory via nfs?
- --
Sean Kennedy
PGP public key: http://tpno.org/keys/0xFC1C377F.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFAl857IjyA6vwcN38RAtKDAJkBEPqt4+Jn6Iyic8zcG99UNjcquwCfePaw
E7BR4wjjHBtYqnJE5iCNVbY=
=OVdb
-----END PGP SIGNATURE-----
More information about the fedora-list
mailing list