If boks_sshd is enabled for Privilege Separation mode, users logging in using
SSH configured for Kerberos authentication can occasionally be prompted for
keyboard-interactive authentication. The problem is that boks_ssh sometimes
tries to read the local BoKS ENV file to see if Kerberos is set up. This can be done
after the unprivileged process has changed root with a chroot system call
(see the chroot(2) man page), causing the lookup to fail since the BoKS ENV
file does not exist under the new root.

Resolution / Workaround

To resolve this issue, apply one of the following hotfixes:

  • HFBM-0080-1 for BM6.7
  • HFBM-0086-1 for BM7.0

Both hotfixes are available for download from the HelpSystems Community Portal.

Each hotfix includes a new boks_sshd binary where the unprivileged process 
reads the BoKS ENV file into memory before the chroot(2) call is made and
makes sure that the ENV file is not re-read later in the unprivileged process.

Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: May 25, 2018