Re: [suse-security] openssh-3.5p1-107 tunneling problems

[Armin Schoech <armin.schoech@xxxxxx>]

Hi Michael,

> i upgraded to the openssh-3.5p1-107 rpms over the weekend and now i've a
> problem with tunneling. i use an ssh tunnel to make irc connections, now when
> i make an irc connection over the tunnel i connect as user root instead of as
> the user i make the tunnel with:
>
> ssh 6669:irc.freenode.net:6667 michael@xxxxxxxxxxxxxxx
>
> the sshd_config is the stock that came with the rpm. am i missing
> something?
>
--> I think you have just discovered that sshd is no longer running
with priviledge separation. Have you compared the new sshd_config file
form the rpm to the old one ?

If priviledge separation is enabled, the main sshd daemon will fork a
process running under the UID of the user logging in and this process
will take care of the tunneling.

But the default with the new rpm is that priviledge separation is
disabled, i.d. the process handling the socket and taking care of the
tunneling is running as root.

This would explain your observation. Have you tried to switch on
priviledge separation in sshd_config, then restart the server and do
the same test ? What does it say now ?

HTH,
Armin

-- 
Am Hasenberg 26         office: Institut für Atmosphärenphysik
D-18209 Bad Doberan             Schloss-Straße 6
Tel. ++49-(0)38203/42137        D-18225 Kühlungsborn / GERMANY
Email: schoech@xxxxxxxxxxxx     Tel. +49-(0)38293-68-102
WWW: http://armins.cjb.net/     Fax. +49-(0)38293-68-50


--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here