On Thu, Jun 27, 2002 at 11:18:53AM -0700, Christopher Mahmood wrote:
* Robert C. Paulsen Jr. (robert@paulsenonline.net) [020626 18:22]:
sux - Password: No matches found, authority file "/dev/fd/62" not written xauth: (argv):1: unable to read any entries from file "(stdin)" avalon:~ # xterm X11 connection rejected because of wrong authentication. X connection to localhost:10.0 broken (explicit kill or server shutdown).
This must be because of the UsePrivilegeSeparation in 3.3 but I can't figure out why it works for me. I'll look into today and repost.
Well, there was a security notice recommending an update. If there is no exposure why update?
It's explained in the addendum to SuSE-SA:2002:023 (http://lists.suse.com/archive/suse-security-announce/2002-Jun/0006.html) the default confirguration in the SuSE OpenSSH 2.9.9p2 RPMs were not affected by the S/Key or BSDAUTH vulnerabilities. Likewise, PAMAuthenticationViaKbdInt is not enabled by default.
The workaround recommended by the openssh developers (UsePrivilegeSeparation) is only available in 3.3 and is causing problems with md5 passwds, some pam stuff, and apparantly xauth (although that just may be because of the chroot it creates). As test, try turning setting 'UsePrivilegeSeparation no' in /etc/ssh/sshd_config on the server and I think xauth (and sux) will work fine. Of course, if you turn that off there's no point in running the less tested 3.3 so you might as well just go back to 2.9.9p2.
I just installed the latest 3.4p1 via YOU and get the same problem discussed above ("sux -" after ssh login fails). I tried setting 'UsePrivilegeSeparation no' but it made no difference. Again, reinstalling ssh from the SuSE 8.0 CD put me back in business. -- Robert C. Paulsen, Jr. robert@paulsenonline.net