Bug 230

Summary:

UsePrivilegeSeparation turns off Banner.

Product:

Portable OpenSSH

Reporter:

Kyle R. Hofmann <krh>

Component:

sshd

Assignee:

OpenSSH Bugzilla mailing list <openssh-bugs>

Status:

CLOSED FIXED

Severity:

normal

CC:

provos

Priority:

Version:

-current

Hardware:

ix86

OS:

OpenBSD

Attachments:

Description	Flags
Make Banner work with privsep as expected	none

Description Kyle R. Hofmann 2002-04-29 10:50:37 AEST

I have "Banner /etc/motd" and "UsePrivilegeSeparation yes" in my sshd
configuration.  When I "ssh localhost", I get:

$ ssh localhost
krh@localhost's password:
Last login: Sun Apr 28 17:29:10 2002 from localhost.lemniscate.net
$

as if I had no banner.  Turning off UsePrivilegeSeparation fixes this;
the banner comes up like it's supposed to.  I only have ix86 OpenBSD
systems to test this against, but I suspect it's not limited to them.

Comment 1 Kyle R. Hofmann 2002-04-29 10:53:21 AEST

I should add that I also have PrintMotd off so that the motd is
printed only once, and yes, I am connecting with the SSH 2 protocol.

Comment 2 Kevin Steves 2002-04-30 01:51:54 AEST

currently, with privsep on, the banner file needs to be in /var/empty.  so
if your banner is /etc/issue, you need /var/empty/etc/issue.

Comment 3 Damien Miller 2002-04-30 11:46:42 AEST

Created attachment 91 [details]
Make Banner work with privsep as expected

Comment 4 Damien Miller 2002-04-30 11:47:44 AEST

Could you please try the attached patch?

Comment 5 Niels Provos 2002-04-30 12:14:49 AEST

That diff looks good to me.  I can not test right now, but it is the
right approach.

Comment 6 Kyle R. Hofmann 2002-05-01 17:52:49 AEST

The patch does not apply cleanly to any snapshot between April 27 and
April 30.  Applying it by hand doesn't help, because whether or not I
do that, the compile fails with:

readpassphrase.c: In function `handler':
readpassphrase.c:183: `signo' undeclared (first use in this function)
readpassphrase.c:183: (Each undeclared identifier is reported only once
readpassphrase.c:183: for each function it appears in.)
readpassphrase.c: At top level:
readpassphrase.c:181: warning: `handler' defined but not used

Comment 7 Damien Miller 2002-05-01 22:02:45 AEST

Thanks - the fix for that will be in the next snapshot. If you are impatient,
you can edit openbsd-compat/readpassphrase.c and move the "#endif" from below
the readpassphase() function (~line 168) to the end of the file.

Comment 8 Kyle R. Hofmann 2002-05-02 14:41:32 AEST

Well, to get the May 1 snapshot to compile, I had to edit config.h
and manually undefine HAVE_READPASSPHRASE, and I had to edit readpass.c
and include openbsd-compat/readpassphrase.h.  Otherwise the compile
fails at readpass.c:101 with RPP_ECHO_{ON,OFF} and RPP_REQUIRE_TTY
undefined.

But once I did that (and I'm sure it's not the Right Thing, because
sshd didn't recognize the keywords KerberosAuthentication and
AFSTokenPassing in sshd_config), everything compiled and Banner
worked with UsePrivilegeSeparation.  Thanks!

Comment 9 Damien Miller 2002-05-02 16:19:51 AEST

I'll reopen the bug until the fix gets committed. Could you please file a
seperate bug for the readpassphrase problem?

Comment 10 Damien Miller 2002-05-13 11:02:15 AEST

Patch committed

Comment 11 Damien Miller 2004-04-14 12:24:18 AEST

Mass change of RESOLVED bugs to CLOSED