Re: OpenSSH 8.7p1 update for the base system

On Sun, Sep 05, 2021 at 10:42:45AM -0400, Ed Maste wrote:
> On Sun, 5 Sept 2021 at 00:04, Benjamin Kaduk <kaduk@mit.edu> wrote:
> >
> > Hi Ed,
> >
> > I'm not sure whether this would be something for the release notes or not,
> > but I believe that making privilege separation mandatory causes GSSAPI
> > credential delegation to essentially not work.
> 
> I think privilege separation became mandatory in 7.5p1, imported in
> d93a896ef959 in 2017. Thus I believe this hasn't been functional for
> quite some time; am I mistaken?

That seems likely; I confess I didn't follow the versioning very closely
across which machines I have to use a workaround on.

> It should still be documented, even if it's well after the fact. I
> think it's also worth trying to fix, although I'm not sure if I will
> have time to work on it.

Fair enough.  I don't remember enough about what channels are available for
communicating (sensitive!) information across the UID boundary in sshd, so
I can't really speak to how hard it would be.

Thanks,

Ben