Debian Bug report logs - #171642
ssh: include opie support or fix ssh to use pam_opie for enabled privsep

version graph

Package: ssh; Maintainer for ssh is Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>; Source for ssh is src:openssh.

Reported by: Martin Wuertele <maxx@debian.org>

Date: Wed, 4 Dec 2002 00:18:01 UTC

Severity: wishlist

Found in version 1:3.5p1-2

Done: Michael Stone <mstone@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Matthew Vernon <matthew@debian.org>, openssh@packages.qa.debian.org:
Bug#171642; Package ssh. Full text and rfc822 format available.
Acknowledgement sent to Martin Wuertele <maxx@debian.org>:
New Bug report received and forwarded. Copy sent to Matthew Vernon <matthew@debian.org>, openssh@packages.qa.debian.org. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Martin Wuertele <maxx@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ssh: include opie support or fix ssh to use pam_opie for enabled privsep
Date: Wed, 4 Dec 2002 01:12:52 +0100
[Message part 1 (text/plain, inline)]
Package: ssh
Version: 1:3.5p1-2
Severity: wishlist

Since UsePrivilegeSeparation was introduced authentification via
pam_opie only works with 

UsePrivilegeSeparation no 

decreasing security while ssh itself still has no direct opie support

Please either make ssh work with pam_opie while UsePrivilegeSeparation
is enabled or include opie support into ssh (patch against 3.0 at
http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=100483915419537&w=2)

-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux independence 2.4.18-xfs-lvm1.1rc1 #1 Wed Jul 3 09:37:04 CEST 2002 i686
Locale: LANG=C, LC_CTYPE=de_AT@EURO

Versions of packages ssh depends on:
ii  adduser                     3.47         Add and remove users and groups
ii  debconf                     1.1.25       Debian configuration management sy
ii  libc6                       2.3.1-5      GNU C Library: Shared libraries an
ii  libpam-modules              0.72-35      Pluggable Authentication Modules f
ii  libpam0g                    0.76-8       Pluggable Authentication Modules l
ii  libssl0.9.6                 0.9.6g-2     SSL shared libraries
ii  libwrap0                    7.6-ipv6.1-2 Wietse Venema's TCP wrappers libra
ii  zlib1g                      1:1.1.4-3    compression library - runtime

-- debconf information:
* ssh/ssh2_keys_merged: 
  ssh/new_config: true
  ssh/rootlogin_warning: 
  ssh/insecure_rshd: 
* ssh/privsep_tell: 
* ssh/forward_warning: 
  ssh/ancient_version: 
  ssh/protocol2_only: true
* ssh/protocol2_default: 
* ssh/insecure_telnetd: 
* ssh/run_sshd: true
  ssh/encrypted_host_key_but_no_keygen: 
* ssh/use_old_init_script: true
* ssh/upgrade_to_openssh: true
* ssh/SUID_client: true
  ssh/privsep_ask: true

TIA Martin
-- 
<maxx@debian.org> --------------------------------- NO HTML MAILS PLEASE
           GPG / PGP encrypted and signed messages preferred

[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Matthew Vernon <matthew@debian.org>:
Bug#171642; Package ssh. Full text and rfc822 format available.
Acknowledgement sent to Tim Freeman <tim@fungible.com>:
Extra info received and forwarded to list. Copy sent to Matthew Vernon <matthew@debian.org>. Full text and rfc822 format available.

Message #10 received at 171642@bugs.debian.org (full text, mbox, reply):

From: Tim Freeman <tim@fungible.com>
To: 171642@bugs.debian.org
Subject: ssh 3.7p1 should work with PAM better
Date: Sat, 20 Dec 2003 21:16:26 -0700
The README.privsep file in openssh 3.7p1 says:

   PAM-enabled OpenSSH is known to function with privsep on Linux.  

so this is apparently fixed upstream. 
-- 
Tim Freeman                                                  tim@fungible.com
I xeroxed a mirror. Now I have an extra xerox machine.       -- Steven Wright
Information forwarded to debian-bugs-dist@lists.debian.org, Matthew Vernon <matthew@debian.org>:
Bug#171642; Package ssh. Full text and rfc822 format available.
Acknowledgement sent to Tim Freeman <tim@fungible.com>:
Extra info received and forwarded to list. Copy sent to Matthew Vernon <matthew@debian.org>. Full text and rfc822 format available.

Message #15 received at 171642@bugs.debian.org (full text, mbox, reply):

From: Tim Freeman <tim@fungible.com>
To: 171642@bugs.debian.org
Subject: 3.7p1 PAM improvements
Date: Sun, 21 Dec 2003 09:45:44 -0700
I said:
>The README.privsep file in openssh 3.7p1 says:
>
>   PAM-enabled OpenSSH is known to function with privsep on Linux.  
>
>so this is apparently fixed upstream. 

which is a bad argument, since the 3.6.1p2 README.privsep says the
same thing.  However, I still believe the conclusion that privsep and
keyboard-interactive authentication work together in 3.7p1 because the
3.6.1p2 README.privsep says

   PAMAuthenticationViaKbdInt does not function with privsep.

and the README.privsep for 3.7p1 does not say this.  A patch fixing
the privsep & keyboard-interactive problem was apparnetly published 10
June 2003:

  http://www.freebsdforums.org/forums/showthread.php?threadid=11058

-- 
Tim Freeman                                                  tim@fungible.com
I xeroxed a mirror. Now I have an extra xerox machine.       -- Steven Wright
Information forwarded to debian-bugs-dist@lists.debian.org, Matthew Vernon <matthew@debian.org>:
Bug#171642; Package ssh. Full text and rfc822 format available.
Acknowledgement sent to Darren Tucker <dtucker@zip.com.au>:
Extra info received and forwarded to list. Copy sent to Matthew Vernon <matthew@debian.org>. Full text and rfc822 format available.

Message #20 received at 171642@bugs.debian.org (full text, mbox, reply):

From: Darren Tucker <dtucker@zip.com.au>
To: 171642@bugs.debian.org, Martin Wuertele <maxx@debian.org>
Subject: Debian bug #171642: ssh+opie: fixed in 3.8.1p1
Date: Thu, 01 Jul 2004 20:26:10 +1000
Hi.
	I just tested upstream openssh-3.8.1p1 with pam_opie and it seems to 
work OK.  The Debian package should be fine too, can you try it?

$ ssh testuser@hydra
otp-md5 495 hy7899 ext, Response:
Last login: Thu Jul  1 20:07:54 2004 from gate.dodgy.net.au on pts/3
[etc]

Debian maintainer: you might also want to close #150939 and #151084 
(also OPIE and reported fixed, but not related to this bug).

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
Reply sent to Michael Stone <mstone@debian.org>:
You have taken responsibility. Full text and rfc822 format available.
Notification sent to Martin Wuertele <maxx@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #25 received at 171642-close@bugs.debian.org (full text, mbox, reply):

From: Michael Stone <mstone@debian.org>
To: 151084-close@bugs.debian.org, 150939-close@bugs.debian.org, 171642-close@bugs.debian.org
Subject: pam_opie bugs
Date: Tue, 24 Aug 2004 08:57:02 -0400
libpam-opie is currently working with full functionality in sarge ssh.

Mike Stone

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jan 6 07:43:31 2016; Machine Name: beach

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.