I'm setting up a bunch of Fedora-based servers that will be authenticating logins via pam_ldap (PAM). I've gotten things running nicely, but ran into a small probelm with OpenSSH. When a user who hasn't logged into a certain box before logs in and his home directory doesn't exist, I use the pam_mkhomedir.so module to create the directory. However, this will barf on OpenSSH <= 3.7 unless Privilege Separation is disabled since after authentication is complete, the process is running as the 'ssh' user and can't write to /home (and couldn't change the owner of the new directory to the user I want in any case). Work-around is to turn off privilege separation, but I'm not sure how good of an idea this is... the other option would be to upgrade to OpenSSH 3.7.x where this problem is no longer an issue. Any plans to bump Fedora's OpenSSH to 3.7? Doesn't appear to be the case in C2. Maybe I should roll my own RPM's or just modify my Kickstart configuration to turn off privilege separation on all the boxes when they're set up... Just looking for some opinions.
<<winmail.dat>>
