2002-05-13 03:57:04 +00:00
|
|
|
Privilege separation, or privsep, is an experimental feature in
|
|
|
|
OpenSSH in which operations that require root privilege are performed
|
|
|
|
by a separate privileged monitor process. Its purpose is to prevent
|
|
|
|
privilege escalation by containing corruption to an unprivileged
|
|
|
|
process. More information is available at:
|
|
|
|
http://www.citi.umich.edu/u/provos/ssh/privsep.html
|
|
|
|
|
|
|
|
Privilege separation is not enabled by default, and may be enabled by
|
|
|
|
specifying "UsePrivilegeSeparation yes" in sshd_config; see the
|
|
|
|
UsePrivilegeSeparation option in sshd(8).
|
|
|
|
|
|
|
|
When privsep is enabled, the pre-authentication sshd process will
|
|
|
|
chroot(2) to "/var/empty" and change its privileges to the "sshd" user
|
|
|
|
and its primary group. You should do something like the following to
|
|
|
|
prepare the privsep preauth environment:
|
|
|
|
|
|
|
|
# mkdir /var/empty
|
|
|
|
# chown root:sys /var/empty
|
|
|
|
# chmod 755 /var/empty
|
|
|
|
# groupadd sshd
|
|
|
|
# useradd -g sshd sshd
|
|
|
|
|
2002-05-14 00:07:18 +00:00
|
|
|
If you are on UnixWare 7 or OpenUNIX 8 do this additional step.
|
|
|
|
# ln /usr/lib/.ns.so /usr/lib/ns.so.1
|
|
|
|
|
2002-05-13 03:57:04 +00:00
|
|
|
/var/empty should not contain any files.
|
|
|
|
|
|
|
|
configure supports the following options to change the default
|
|
|
|
privsep user and chroot directory:
|
|
|
|
|
2002-05-22 01:02:15 +00:00
|
|
|
--with-privsep-path=xxx Path for privilege separation chroot
|
2002-05-13 03:57:04 +00:00
|
|
|
--with-privsep-user=user Specify non-privileged user for privilege separation
|
|
|
|
|
|
|
|
Privsep requires operating system support for file descriptor passing
|
|
|
|
and mmap(MAP_ANON).
|
|
|
|
|
2002-05-13 23:31:09 +00:00
|
|
|
PAM-enabled OpenSSH is known to function with privsep on Linux and
|
|
|
|
Solaris 8. It does not function on HP-UX with a trusted system
|
|
|
|
configuration. PAMAuthenticationViaKbdInt does not function with
|
2002-05-13 03:57:04 +00:00
|
|
|
privsep.
|
|
|
|
|
|
|
|
Note that for a normal interactive login with a shell, enabling privsep
|
|
|
|
will require 1 additional process per login session.
|
|
|
|
|
|
|
|
Given the following process listing (from HP-UX):
|
|
|
|
|
|
|
|
UID PID PPID C STIME TTY TIME COMMAND
|
|
|
|
root 1005 1 0 10:45:17 ? 0:08 /opt/openssh/sbin/sshd -u0
|
|
|
|
root 6917 1005 0 15:19:16 ? 0:00 sshd: stevesk [priv]
|
|
|
|
stevesk 6919 6917 0 15:19:17 ? 0:03 sshd: stevesk@2
|
|
|
|
stevesk 6921 6919 0 15:19:17 pts/2 0:00 -bash
|
|
|
|
|
|
|
|
process 1005 is the sshd process listening for new connections.
|
|
|
|
process 6917 is the privileged monitor process, 6919 is the user owned
|
|
|
|
sshd process and 6921 is the shell process.
|
|
|
|
|
2002-05-22 01:02:15 +00:00
|
|
|
$Id: README.privsep,v 1.5 2002/05/22 01:02:15 djm Exp $
|