If boks_sshd is enabled for Privilege Separation mode, users logging in using
SSH configured for Kerberos authentication can occasionally be prompted for
keyboard-interactive authentication. The problem is that boks_ssh sometimes
tries to read the local BoKS ENV file to see if Kerberos is set up. This can be done
after the unprivileged process has changed root with a chroot system call
(see the chroot(2) man page), causing the lookup to fail since the BoKS ENV
file does not exist under the new root.
Resolution / Workaround
To resolve this issue, apply one of the following hotfixes:
Both hotfixes are available for download from the HelpSystems Community Portal.
Each hotfix includes a new boks_sshd binary where the unprivileged process
reads the BoKS ENV file into memory before the chroot(2) call is made and
makes sure that the ENV file is not re-read later in the unprivileged process.
Still have questions? We can help. Submit a case to Technical Support.