Re: OpenSSh 3.4p1 PrivilegeSerparation experiment

From: Aaron.Hayden@Colorado.EDU
Date: 06/29/02

Date: Sat, 29 Jun 2002 14:54:13 -0700
From: Aaron.Hayden@Colorado.EDU

Here is a conglomeration response to the many emails I received.

  point: it is a _feature_ that makes it easy to upgrade versions.

Perhaps it is. Or maybe it is just easier for sshd to ignore processes
forked to continue sessions while it handles its own signals. This is
of course not necessary behavior for upgrading OpenSSh remotely.

  point: why would you expect current sessions to reread config?

Well, I wouldn't. But I would expect terminations of sessions spawned
under the original's configuration (all connections in my example). In
other words, I'd not expect all ssh daemons to die, but sessions run by
the sshd process I kill should halt.

  point: vuln-dev?

No, not really. I only realized sshd does this on SIGHUP reading the
source a few days ago. If it surprises you like it does me, then sure
you're vulnerable.

  . .;i  Aaron.Hayden@Colorado.EDU  i;. .
   '` !     ! `'

: 'Knowledge of self is like life after death.'

Relevant Pages

  • Re: tail -f over ssh leaves orphans behind
    ... >Why I think it is a kernel issue on the computer running the sshd program: ... >Sshd cannot avoid noticing that you have closed ssh on your end of the network ... sessions, and ssh does not use ptys for non-interactive sessions unless you ...
  • Re: SSH Server
    ... Brendan Gregg wrote: ... >>Is there a binary of sshd available for Solaris 8 Sparc. ... So it depends on your box, an old Ultra 1 with a 167 MHz Sparc CPU is ... > that noticable for low volume sessions. ...
  • Re: SSH Server
    ... > Is there a binary of sshd available for Solaris 8 Sparc. ... Depends on the volume of the sessions, I doubt the extra load will be ... You probably want to use SSH regardless of the extra load, ...