230 – UsePrivilegeSeparation turns off Banner.

Bug 230 - UsePrivilegeSeparation turns off Banner.

Summary: UsePrivilegeSeparation turns off Banner.

Status:	CLOSED FIXED

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	sshd (show other bugs)
Version:	-current
Hardware:	ix86 OpenBSD

Importance:	P3 normal
Assignee:	OpenSSH Bugzilla mailing list

URL:
Keywords:

Depends on:
Blocks:

Reported:	2002-04-29 10:50 AEST by Kyle R. Hofmann
Modified:	2004-04-14 12:24 AEST (History)
CC List:	1 user (show)

See Also:

Attachments
Make Banner work with privsep as expected (5.36 KB, patch) 2002-04-30 11:46 AEST, Damien Miller	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Kyle R. Hofmann 2002-04-29 10:50:37 AEST

I have "Banner /etc/motd" and "UsePrivilegeSeparation yes" in my sshd
configuration.  When I "ssh localhost", I get:

$ ssh localhost
krh@localhost's password:
Last login: Sun Apr 28 17:29:10 2002 from localhost.lemniscate.net
$

as if I had no banner.  Turning off UsePrivilegeSeparation fixes this;
the banner comes up like it's supposed to.  I only have ix86 OpenBSD
systems to test this against, but I suspect it's not limited to them.

Comment 1 Kyle R. Hofmann 2002-04-29 10:53:21 AEST

I should add that I also have PrintMotd off so that the motd is
printed only once, and yes, I am connecting with the SSH 2 protocol.

Comment 2 Kevin Steves 2002-04-30 01:51:54 AEST

currently, with privsep on, the banner file needs to be in /var/empty.  so
if your banner is /etc/issue, you need /var/empty/etc/issue.

Comment 3 Damien Miller 2002-04-30 11:46:42 AEST

Created attachment 91 [details]
Make Banner work with privsep as expected

Comment 4 Damien Miller 2002-04-30 11:47:44 AEST

Could you please try the attached patch?

Comment 5 Niels Provos 2002-04-30 12:14:49 AEST

That diff looks good to me.  I can not test right now, but it is the
right approach.

Comment 6 Kyle R. Hofmann 2002-05-01 17:52:49 AEST

The patch does not apply cleanly to any snapshot between April 27 and
April 30.  Applying it by hand doesn't help, because whether or not I
do that, the compile fails with:

readpassphrase.c: In function `handler':
readpassphrase.c:183: `signo' undeclared (first use in this function)
readpassphrase.c:183: (Each undeclared identifier is reported only once
readpassphrase.c:183: for each function it appears in.)
readpassphrase.c: At top level:
readpassphrase.c:181: warning: `handler' defined but not used

Comment 7 Damien Miller 2002-05-01 22:02:45 AEST

Thanks - the fix for that will be in the next snapshot. If you are impatient,
you can edit openbsd-compat/readpassphrase.c and move the "#endif" from below
the readpassphase() function (~line 168) to the end of the file.

Comment 8 Kyle R. Hofmann 2002-05-02 14:41:32 AEST

Well, to get the May 1 snapshot to compile, I had to edit config.h
and manually undefine HAVE_READPASSPHRASE, and I had to edit readpass.c
and include openbsd-compat/readpassphrase.h.  Otherwise the compile
fails at readpass.c:101 with RPP_ECHO_{ON,OFF} and RPP_REQUIRE_TTY
undefined.

But once I did that (and I'm sure it's not the Right Thing, because
sshd didn't recognize the keywords KerberosAuthentication and
AFSTokenPassing in sshd_config), everything compiled and Banner
worked with UsePrivilegeSeparation.  Thanks!

Comment 9 Damien Miller 2002-05-02 16:19:51 AEST

I'll reopen the bug until the fix gets committed. Could you please file a
seperate bug for the readpassphrase problem?

Comment 10 Damien Miller 2002-05-13 11:02:15 AEST

Patch committed

Comment 11 Damien Miller 2004-04-14 12:24:18 AEST

Mass change of RESOLVED bugs to CLOSED