On Wed, Jul 10, 2002 at 11:22:24PM -0800, Ethan Benson wrote: > On Thu, Jul 11, 2002 at 12:20:24AM +0400, Solar Designer wrote: > > > > Finally, I did a patch to re-enable password changes, without the > > nasty side effect which was the reason to disable that code, for the > > non-privsep case in the OpenSSH 3.4p1 package in Owl (our distribution, > > http://www.openwall.com/Owl/). The patch is freely available as a > > part of Owl (in the native tree). To this message I've attached just > > the two patches relevant to making password changing work again in > > 3.4p1. Our OpenSSH package contains many other patches (11 total). > > is there any way to fix it for the privsep case? since it seems clear > that sshd is full of holes turning off privsep is a very bad idea. It's not trivial, a small redesign is needed. Currently, when privsep is in use, a pty may only be obtained after having dropped to the user. But PAM password changing requires both a pty and root privileges. -- /sd
