Date: Sat, 4 Sep 2021 21:04:07 -0700 From: Benjamin Kaduk <kaduk@mit.edu> To: Ed Maste <emaste@freebsd.org> Cc: FreeBSD Hackers <freebsd-hackers@freebsd.org> Subject: Re: OpenSSH 8.7p1 update for the base system Message-ID: <20210905040341.GG96301@kduck.mit.edu> In-Reply-To: <CAPyFy2A390kS_C3g=Y9QhQcJ06z_FKUxXsNvi9g2CdWF24pukg@mail.gmail.com> References: <CAPyFy2A390kS_C3g=Y9QhQcJ06z_FKUxXsNvi9g2CdWF24pukg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Ed, I'm not sure whether this would be something for the release notes or not, but I believe that making privilege separation mandatory causes GSSAPI credential delegation to essentially not work. (There are several pieces that interact to make this happen, and I don't expect you to do any work to try to fix it; this would just be a question of whether any documentation of the change should occur.) -Ben On Sat, Sep 04, 2021 at 11:59:06AM -0400, Ed Maste wrote: > I'm preparing to update OpenSSH in the FreeBSD base system to 8.7p1, > and am sharing an initial patch for testing. > > The update is available from a branch in my github repo: > https://github.com/emaste/freebsd/tree/openssh-8.7p1-wip > (commit 0afe07936bbd37a1b91ead95f580c47ccc16df79) > > Also as a diff against main: > https://people.freebsd.org/~emaste/openssh/FreeBSD-base-openssh-8.7p1-20210904-114623.diff > > In addition I have a review open in Phabricator, although it is quite > awkward to usefully review a vendor update presented like this. > https://reviews.freebsd.org/D29985 > > If you give it a try please let me know what you've tested out. >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20210905040341.GG96301>