]>
Commit | Line | Data |
---|---|---|
ff2d7a98 | 1 | Privilege separation, or privsep, is method in OpenSSH by which |
2 | operations that require root privilege are performed by a separate | |
3 | privileged monitor process. Its purpose is to prevent privilege | |
416fd2a8 | 4 | escalation by containing corruption to an unprivileged process. |
ff2d7a98 | 5 | More information is available at: |
2980ea68 | 6 | http://www.citi.umich.edu/u/provos/ssh/privsep.html |
7 | ||
ff2d7a98 | 8 | Privilege separation is now enabled by default; see the |
9 | UsePrivilegeSeparation option in sshd_config(5). | |
2980ea68 | 10 | |
416fd2a8 | 11 | On systems which lack mmap or anonymous (MAP_ANON) memory mapping, |
12 | compression must be disabled in order for privilege separation to | |
ff2d7a98 | 13 | function. |
14 | ||
15 | When privsep is enabled, during the pre-authentication phase sshd will | |
2980ea68 | 16 | chroot(2) to "/var/empty" and change its privileges to the "sshd" user |
ff2d7a98 | 17 | and its primary group. sshd is a pseudo-account that should not be |
18 | used by other daemons, and must be locked and should contain a | |
19 | "nologin" or invalid shell. | |
20 | ||
21 | You should do something like the following to prepare the privsep | |
22 | preauth environment: | |
2980ea68 | 23 | |
24 | # mkdir /var/empty | |
25 | # chown root:sys /var/empty | |
26 | # chmod 755 /var/empty | |
27 | # groupadd sshd | |
ff2d7a98 | 28 | # useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd |
2980ea68 | 29 | |
30 | /var/empty should not contain any files. | |
31 | ||
32 | configure supports the following options to change the default | |
33 | privsep user and chroot directory: | |
34 | ||
35 | --with-privsep-path=xxx Path for privilege separation chroot | |
36 | --with-privsep-user=user Specify non-privileged user for privilege separation | |
37 | ||
ff2d7a98 | 38 | Privsep requires operating system support for file descriptor passing. |
39 | Compression will be disabled on systems without a working mmap MAP_ANON. | |
2980ea68 | 40 | |
416fd2a8 | 41 | PAM-enabled OpenSSH is known to function with privsep on Linux. |
ff2d7a98 | 42 | It does not function on HP-UX with a trusted system |
416fd2a8 | 43 | configuration. |
2980ea68 | 44 | |
1c14df9e | 45 | On Compaq Tru64 Unix, only the pre-authentication part of privsep is |
46 | supported. Post-authentication privsep is disabled automatically (so | |
47 | you won't see the additional process mentioned below). | |
48 | ||
2980ea68 | 49 | Note that for a normal interactive login with a shell, enabling privsep |
50 | will require 1 additional process per login session. | |
51 | ||
52 | Given the following process listing (from HP-UX): | |
53 | ||
54 | UID PID PPID C STIME TTY TIME COMMAND | |
55 | root 1005 1 0 10:45:17 ? 0:08 /opt/openssh/sbin/sshd -u0 | |
56 | root 6917 1005 0 15:19:16 ? 0:00 sshd: stevesk [priv] | |
57 | stevesk 6919 6917 0 15:19:17 ? 0:03 sshd: stevesk@2 | |
58 | stevesk 6921 6919 0 15:19:17 pts/2 0:00 -bash | |
59 | ||
60 | process 1005 is the sshd process listening for new connections. | |
61 | process 6917 is the privileged monitor process, 6919 is the user owned | |
62 | sshd process and 6921 is the shell process. | |
63 | ||
64 | $Id$ |