From: Philippe Troin <[EMAIL PROTECTED]> >I haven't look at OPIE for ages, but when using it with ssh, doesn't >it force you to turn privilege separation off in /etc/ssh/sshd_config?
Yes, using opie and pam and sshd all at once requires turning off privilege separation for sshd. Opie protects against a local root exploit anywhere on the machine causing a bunch of cascading compromises. Sshd privilege separation protects against an exploit in openssh allowing remote compromise of a bunch of machines. I don't know which risk is bigger. Hey, maybe using exec-shield would decrease the chances of the openssh bugs being exploitable? That would also make other local root exploits harder. But maybe that has already been done. -- Tim Freeman [EMAIL PROTECTED] I xeroxed a mirror. Now I have an extra xerox machine. -- Steven Wright
