]>
Commit | Line | Data |
---|---|---|
ca449fd9 | 1 | Privilege separation, or privsep, is method in OpenSSH by which |
2 | operations that require root privilege are performed by a separate | |
3 | privileged monitor process. Its purpose is to prevent privilege | |
4 | escalation by containing corruption to an unprivileged process. | |
5 | More information is available at: | |
3d1beaf2 | 6 | http://www.citi.umich.edu/u/provos/ssh/privsep.html |
7 | ||
ca449fd9 | 8 | Privilege separation is now enabled by default; see the |
9 | UsePrivilegeSeparation option in sshd_config(5). | |
3d1beaf2 | 10 | |
11 | When privsep is enabled, the pre-authentication sshd process will | |
12 | chroot(2) to "/var/empty" and change its privileges to the "sshd" user | |
13 | and its primary group. You should do something like the following to | |
14 | prepare the privsep preauth environment: | |
15 | ||
16 | # mkdir /var/empty | |
17 | # chown root:sys /var/empty | |
18 | # chmod 755 /var/empty | |
19 | # groupadd sshd | |
20 | # useradd -g sshd sshd | |
21 | ||
f65fbec1 | 22 | If you are on UnixWare 7 or OpenUNIX 8 do this additional step. |
23 | # ln /usr/lib/.ns.so /usr/lib/ns.so.1 | |
24 | ||
3d1beaf2 | 25 | /var/empty should not contain any files. |
26 | ||
27 | configure supports the following options to change the default | |
28 | privsep user and chroot directory: | |
29 | ||
a23a769d | 30 | --with-privsep-path=xxx Path for privilege separation chroot |
3d1beaf2 | 31 | --with-privsep-user=user Specify non-privileged user for privilege separation |
32 | ||
33 | Privsep requires operating system support for file descriptor passing | |
34 | and mmap(MAP_ANON). | |
35 | ||
ca449fd9 | 36 | PAM-enabled OpenSSH is known to function with privsep on Linux. |
37 | It does not function on HP-UX with a trusted system | |
545ba36e | 38 | configuration. PAMAuthenticationViaKbdInt does not function with |
3d1beaf2 | 39 | privsep. |
40 | ||
41 | Note that for a normal interactive login with a shell, enabling privsep | |
42 | will require 1 additional process per login session. | |
43 | ||
44 | Given the following process listing (from HP-UX): | |
45 | ||
46 | UID PID PPID C STIME TTY TIME COMMAND | |
47 | root 1005 1 0 10:45:17 ? 0:08 /opt/openssh/sbin/sshd -u0 | |
48 | root 6917 1005 0 15:19:16 ? 0:00 sshd: stevesk [priv] | |
49 | stevesk 6919 6917 0 15:19:17 ? 0:03 sshd: stevesk@2 | |
50 | stevesk 6921 6919 0 15:19:17 pts/2 0:00 -bash | |
51 | ||
52 | process 1005 is the sshd process listening for new connections. | |
53 | process 6917 is the privileged monitor process, 6919 is the user owned | |
54 | sshd process and 6921 is the shell process. | |
55 | ||
56 | $Id$ |