+
+if ( !getPrivilegeSeparation() )
+{
+ print "\n";
+ print " o For System Administrators:\n";
+ print "\n";
+ print " If you are going to run the GSI-OpenSSH server, we recommend\n";
+ print " enabling privilege separation. Although this package supports\n";
+ print " this feature, your system appears to require some additional\n";
+ print " configuration.\n";
+ print "\n";
+ print " From the file README.privsep, included as a part of the OpenSSH\n";
+ print " distribution:\n";
+ print "\n";
+ print " When privsep is enabled, during the pre-authentication\n";
+ print " phase sshd will chroot(2) to \"/var/empty\" and change its\n";
+ print " privileges to the \"sshd\" user and its primary group. sshd\n";
+ print " is a pseudo-account that should not be used by other\n";
+ print " daemons, and must be locked and should contain a \"nologin\"\n";
+ print " or invalid shell.\n";
+ print "\n";
+ print " You should do something like the following to prepare the\n";
+ print " privsep preauth environment:\n";
+ print "\n";
+ print " \# mkdir /var/empty\n";
+ print " \# chown root:sys /var/empty\n";
+ print " \# chmod 755 /var/empty\n";
+ print " \# groupadd sshd\n";
+ print " \# useradd -g sshd -c 'sshd privsep' -d /var/empty \\\n";
+ print " -s /bin/false sshd\n";
+ print "\n";
+ print " /var/empty should not contain any files.\n";
+}
+
+print "\n";
+print " o For more information about GSI-Enabled OpenSSH, visit:\n";
+print " <http://www.ncsa.uiuc.edu/Divisions/ACES/GSI/openssh/>\n";
+
+#
+# give the user a chance to read all of this output
+#
+
+print "\n";
+print "Press <return> to continue... ";
+$trash = <STDIN>;
+