X-Git-Url: http://andersk.mit.edu/gitweb/gssapi-openssh.git/blobdiff_plain/7435de97e06a6f521ca5a565aeb5f36861ca3375..HEAD:/openssh/README.privsep diff --git a/openssh/README.privsep b/openssh/README.privsep index 63c4d4a..b8c633b 100644 --- a/openssh/README.privsep +++ b/openssh/README.privsep @@ -1,27 +1,31 @@ -Privilege separation, or privsep, is an experimental feature in -OpenSSH in which operations that require root privilege are performed -by a separate privileged monitor process. Its purpose is to prevent -privilege escalation by containing corruption to an unprivileged -process. More information is available at: +Privilege separation, or privsep, is method in OpenSSH by which +operations that require root privilege are performed by a separate +privileged monitor process. Its purpose is to prevent privilege +escalation by containing corruption to an unprivileged process. +More information is available at: http://www.citi.umich.edu/u/provos/ssh/privsep.html -Privilege separation is not enabled by default, and may be enabled by -specifying "UsePrivilegeSeparation yes" in sshd_config; see the -UsePrivilegeSeparation option in sshd(8). +Privilege separation is now enabled by default; see the +UsePrivilegeSeparation option in sshd_config(5). -When privsep is enabled, the pre-authentication sshd process will +On systems which lack mmap or anonymous (MAP_ANON) memory mapping, +compression must be disabled in order for privilege separation to +function. + +When privsep is enabled, during the pre-authentication phase sshd will chroot(2) to "/var/empty" and change its privileges to the "sshd" user -and its primary group. You should do something like the following to -prepare the privsep preauth environment: +and its primary group. sshd is a pseudo-account that should not be +used by other daemons, and must be locked and should contain a +"nologin" or invalid shell. + +You should do something like the following to prepare the privsep +preauth environment: # mkdir /var/empty # chown root:sys /var/empty # chmod 755 /var/empty # groupadd sshd - # useradd -g sshd sshd - -If you are on UnixWare 7 or OpenUNIX 8 do this additional step. - # ln /usr/lib/.ns.so /usr/lib/ns.so.1 + # useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd /var/empty should not contain any files. @@ -31,13 +35,15 @@ privsep user and chroot directory: --with-privsep-path=xxx Path for privilege separation chroot --with-privsep-user=user Specify non-privileged user for privilege separation -Privsep requires operating system support for file descriptor passing -and mmap(MAP_ANON). +Privsep requires operating system support for file descriptor passing. +Compression will be disabled on systems without a working mmap MAP_ANON. + +PAM-enabled OpenSSH is known to function with privsep on AIX, FreeBSD, +HP-UX (including Trusted Mode), Linux, NetBSD and Solaris. -PAM-enabled OpenSSH is known to function with privsep on Linux and -Solaris 8. It does not function on HP-UX with a trusted system -configuration. PAMAuthenticationViaKbdInt does not function with -privsep. +On Cygwin, Tru64 Unix, OpenServer, and Unicos only the pre-authentication +part of privsep is supported. Post-authentication privsep is disabled +automatically (so you won't see the additional process mentioned below). Note that for a normal interactive login with a shell, enabling privsep will require 1 additional process per login session.