From nobody Mon Sep 06 16:36:16 2021 X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 5828017AC300 for ; Mon, 6 Sep 2021 16:36:29 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4H3DYm3W8Jz56ss; Mon, 6 Sep 2021 16:36:28 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 186GaGGD009704 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 6 Sep 2021 12:36:21 -0400 Date: Mon, 6 Sep 2021 09:36:16 -0700 From: Benjamin Kaduk To: Ed Maste Cc: FreeBSD Hackers Subject: Re: OpenSSH 8.7p1 update for the base system Message-ID: <20210906163616.GI96301@kduck.mit.edu> References: <20210905040341.GG96301@kduck.mit.edu> List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Rspamd-Queue-Id: 4H3DYm3W8Jz56ss X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of kaduk@mit.edu designates 18.9.28.11 as permitted sender) smtp.mailfrom=kaduk@mit.edu X-Spamd-Result: default: False [-3.49 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; RECEIVED_SPAMHAUS_PBL(0.00)[24.16.140.251:received]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:18.9.28.0/24]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[mit.edu]; NEURAL_HAM_LONG(-1.00)[-1.000]; MID_RHS_MATCH_FROMTLD(0.00)[]; TO_DN_ALL(0.00)[]; RCVD_IN_DNSWL_MED(-0.20)[18.9.28.11:from]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-0.99)[-0.992]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_LAST(0.00)[]; R_DKIM_NA(0.00)[]; ASN(0.00)[asn:3, ipnet:18.9.0.0/16, country:US]; MIME_TRACE(0.00)[0:+]; RCVD_COUNT_TWO(0.00)[2] X-Spam: Yes X-ThisMailContainsUnwantedMimeParts: N On Sun, Sep 05, 2021 at 10:42:45AM -0400, Ed Maste wrote: > On Sun, 5 Sept 2021 at 00:04, Benjamin Kaduk wrote: > > > > Hi Ed, > > > > I'm not sure whether this would be something for the release notes or not, > > but I believe that making privilege separation mandatory causes GSSAPI > > credential delegation to essentially not work. > > I think privilege separation became mandatory in 7.5p1, imported in > d93a896ef959 in 2017. Thus I believe this hasn't been functional for > quite some time; am I mistaken? That seems likely; I confess I didn't follow the versioning very closely across which machines I have to use a workaround on. > It should still be documented, even if it's well after the fact. I > think it's also worth trying to fix, although I'm not sure if I will > have time to work on it. Fair enough. I don't remember enough about what channels are available for communicating (sensitive!) information across the UID boundary in sshd, so I can't really speak to how hard it would be. Thanks, Ben