]>
Commit | Line | Data |
---|---|---|
3d1beaf2 | 1 | Privilege separation, or privsep, is an experimental feature in |
2 | OpenSSH in which operations that require root privilege are performed | |
3 | by a separate privileged monitor process. Its purpose is to prevent | |
4 | privilege escalation by containing corruption to an unprivileged | |
5 | process. More information is available at: | |
6 | http://www.citi.umich.edu/u/provos/ssh/privsep.html | |
7 | ||
8 | Privilege separation is not enabled by default, and may be enabled by | |
9 | specifying "UsePrivilegeSeparation yes" in sshd_config; see the | |
10 | UsePrivilegeSeparation option in sshd(8). | |
11 | ||
12 | When privsep is enabled, the pre-authentication sshd process will | |
13 | chroot(2) to "/var/empty" and change its privileges to the "sshd" user | |
14 | and its primary group. You should do something like the following to | |
15 | prepare the privsep preauth environment: | |
16 | ||
17 | # mkdir /var/empty | |
18 | # chown root:sys /var/empty | |
19 | # chmod 755 /var/empty | |
20 | # groupadd sshd | |
21 | # useradd -g sshd sshd | |
22 | ||
f65fbec1 | 23 | If you are on UnixWare 7 or OpenUNIX 8 do this additional step. |
24 | # ln /usr/lib/.ns.so /usr/lib/ns.so.1 | |
25 | ||
3d1beaf2 | 26 | /var/empty should not contain any files. |
27 | ||
28 | configure supports the following options to change the default | |
29 | privsep user and chroot directory: | |
30 | ||
31 | --with-privsep-path=xxx Path for privilege seperation chroot | |
32 | --with-privsep-user=user Specify non-privileged user for privilege separation | |
33 | ||
34 | Privsep requires operating system support for file descriptor passing | |
35 | and mmap(MAP_ANON). | |
36 | ||
f65fbec1 | 37 | OpenSSH is known to function with privsep on UnixWare 7 and OpenUNIX 8 |
545ba36e | 38 | PAM-enabled OpenSSH is known to function with privsep on Linux and |
39 | Solaris 8. It does not function on HP-UX with a trusted system | |
40 | configuration. PAMAuthenticationViaKbdInt does not function with | |
3d1beaf2 | 41 | privsep. |
42 | ||
43 | Note that for a normal interactive login with a shell, enabling privsep | |
44 | will require 1 additional process per login session. | |
45 | ||
46 | Given the following process listing (from HP-UX): | |
47 | ||
48 | UID PID PPID C STIME TTY TIME COMMAND | |
49 | root 1005 1 0 10:45:17 ? 0:08 /opt/openssh/sbin/sshd -u0 | |
50 | root 6917 1005 0 15:19:16 ? 0:00 sshd: stevesk [priv] | |
51 | stevesk 6919 6917 0 15:19:17 ? 0:03 sshd: stevesk@2 | |
52 | stevesk 6921 6919 0 15:19:17 pts/2 0:00 -bash | |
53 | ||
54 | process 1005 is the sshd process listening for new connections. | |
55 | process 6917 is the privileged monitor process, 6919 is the user owned | |
56 | sshd process and 6921 is the shell process. | |
57 | ||
58 | $Id$ |