From nobody Sun Sep 05 14:42:45 2021
X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id E0AA5179E99E
	for <freebsd-hackers@mlmmj.nyi.freebsd.org>; Sun,  5 Sep 2021 14:43:12 +0000 (UTC)
	(envelope-from carpeddiem@gmail.com)
Received: from mail-il1-f171.google.com (mail-il1-f171.google.com [209.85.166.171])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4H2Z5X5pDTz5385
	for <freebsd-hackers@freebsd.org>; Sun,  5 Sep 2021 14:43:12 +0000 (UTC)
	(envelope-from carpeddiem@gmail.com)
Received: by mail-il1-f171.google.com with SMTP id i13so4273794ilm.4
        for <freebsd-hackers@freebsd.org>; Sun, 05 Sep 2021 07:43:12 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=R8AVjJX7o3JLXP+OiPaofryRv9M85v/DtUmPugvgK1w=;
        b=lQgbt5lI7X6CaZiG+SxjTjbRTXEEzkRoydlZUYyduqIZwK4Ol4k99owwoaGiGAdVeG
         k9uN0qTPcF1+R+WgARm0R5EACK4eGoEELqZqCLvPyRkzgIHEqoeoamMkAHZ3dqAhP3vn
         RKX9Xr4fck9IDnEK4AaNOp0DpuPSo0VFeuZNfyJXn3rVUDCn2M+IaK4IE8VKuAUrB8HB
         smPM/Ee7cBocUlZsQqe9y5OBEUwHZhjnPgW6XrwXV/2cc1+ycgRMIB/gcF5LGenrgaJg
         hwuTkxGbYlLYGCEfAX44BDVhiT/H4ToNHvmuFRYadVG3oZs8LqbelhUjt2jTPvhhAr/o
         OxcQ==
X-Gm-Message-State: AOAM533HzlSuhyWnzBC3dWs/jkBHPDAFQCVnA2OvccAVCbL8tOW/aZ5V
	lb4I8Hw7WDIxY8tnQoFoARiaHmV9l6Kldr+nr01YaMGgTPA=
X-Google-Smtp-Source: ABdhPJw1a94JhoKElKQO0drsYbKYrm8OLDVSRC/tjYeb64pU0sbFmCqY9qyjxJVGCvyvMzbvsWKM0XBRRLBzIBWapKs=
X-Received: by 2002:a05:6e02:6d2:: with SMTP id p18mr5582562ils.44.1630852986437;
 Sun, 05 Sep 2021 07:43:06 -0700 (PDT)
List-Id: Technical discussions relating to FreeBSD <freebsd-hackers.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-hackers
List-Help: <mailto:freebsd-hackers+help@freebsd.org>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Subscribe: <mailto:freebsd-hackers+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-hackers+unsubscribe@freebsd.org>
Sender: owner-freebsd-hackers@freebsd.org
MIME-Version: 1.0
References: <CAPyFy2A390kS_C3g=Y9QhQcJ06z_FKUxXsNvi9g2CdWF24pukg@mail.gmail.com>
 <20210905040341.GG96301@kduck.mit.edu>
In-Reply-To: <20210905040341.GG96301@kduck.mit.edu>
From: Ed Maste <emaste@freebsd.org>
Date: Sun, 5 Sep 2021 10:42:45 -0400
Message-ID: <CAPyFy2BRv5QC+s89oTW5xfECM2bSjs0QCWQ19kRW=PXx0LdQbQ@mail.gmail.com>
Subject: Re: OpenSSH 8.7p1 update for the base system
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: FreeBSD Hackers <freebsd-hackers@freebsd.org>
Content-Type: text/plain; charset="UTF-8"
X-Rspamd-Queue-Id: 4H2Z5X5pDTz5385
X-Spamd-Bar: ----
Authentication-Results: mx1.freebsd.org;
	none
X-Spamd-Result: default: False [-4.00 / 15.00];
	 REPLY(-4.00)[]
X-ThisMailContainsUnwantedMimeParts: N

On Sun, 5 Sept 2021 at 00:04, Benjamin Kaduk <kaduk@mit.edu> wrote:
>
> Hi Ed,
>
> I'm not sure whether this would be something for the release notes or not,
> but I believe that making privilege separation mandatory causes GSSAPI
> credential delegation to essentially not work.

I think privilege separation became mandatory in 7.5p1, imported in
d93a896ef959 in 2017. Thus I believe this hasn't been functional for
quite some time; am I mistaken?

It should still be documented, even if it's well after the fact. I
think it's also worth trying to fix, although I'm not sure if I will
have time to work on it.