From owner-freebsd-stable@FreeBSD.ORG Sat Mar 1 07:39:09 2014 Return-Path: Delivered-To: stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7F6E53CE for ; Sat, 1 Mar 2014 07:39:09 +0000 (UTC) Received: from mail-la0-f46.google.com (mail-la0-f46.google.com [209.85.215.46]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 068D01203 for ; Sat, 1 Mar 2014 07:39:08 +0000 (UTC) Received: by mail-la0-f46.google.com with SMTP id hr17so3329014lab.5 for ; Fri, 28 Feb 2014 23:39:07 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=CPhaQwkTANVPC0kJllIG0CHZXgTNWaI28ZputRl2GF0=; b=WX+16l4XOVEnQc5DNwSCoPb/CVRW72yRECZZPK42NNL6sVTgm7H9mwlF/SO7MadEqR 5dGaFyPy0Cr8vUwwHOhEvS03M3GDg3tKwRG+Q6judLFmLXaJejwqhfhbTRTujndalhwL ks/TAvsmd6d7RwOm1ZkClSgKlUkC524/SeoGvUV7uJz7GzpmYTsFGJ1Wgb6ZKsD84pqz rbzvehb6tDq6i8eO5AHx/eJRKKyhy1rAE++Lrw5A1RpGUR0STRMg/XwYS41BqqlLgtWP fV8/tDrqZZwy4zk+HSUMPTEgL+E0zjMsPUdKUcaCqy4US3icQOK7bUGKxyNhFgV9ZBNJ oEuw== X-Gm-Message-State: ALoCoQky3tQ0TNZK8EVri8MfwheDwoXan0rKu6CBqm7lYLLjAvcnhd8HnJQWHCLM0PK7NGKOmcXE X-Received: by 10.112.72.170 with SMTP id e10mr9484672lbv.43.1393659546792; Fri, 28 Feb 2014 23:39:06 -0800 (PST) Received: from [192.168.1.2] ([89.169.173.68]) by mx.google.com with ESMTPSA id o10sm17879728laj.2.2014.02.28.23.39.05 for (version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 28 Feb 2014 23:39:06 -0800 (PST) Message-ID: <53118E9C.5030804@freebsd.org> Date: Sat, 01 Mar 2014 11:39:08 +0400 From: Andrey Chernov User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: des@freebsd.org, stable@freebsd.org Subject: Re: openssh in stable-10 broken config or sandbox References: <531184A8.4050909@freebsd.org> In-Reply-To: <531184A8.4050909@freebsd.org> X-Enigmail-Version: 1.7a1pre Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Mar 2014 07:39:09 -0000 On 01.03.2014 10:56, Andrey Chernov wrote: > Hi. > Default /etc/ssh/sshd_config have > #UsePrivilegeSeparation sandbox > I.e. 'sandbox' by default. It breaks logins with error: > sshd[81721]: fatal: ssh_sandbox_child: failed to limit the network socket [preauth] > Fixed by using old way, i.e. direct > UsePrivilegeSeparation yes > instead of 'sandbox'. Please fix this bug. Just find that capsicum is required now for default (i.e. sandbox) mode. Don't think it is wise move, people may lost remote connections that way, at least UPDATING entry is needed, but check for WITHOUT_CAPSICUM for defaults will be better. -- http://ache.vniz.net/