]>
Commit | Line | Data |
---|---|---|
1 | Privilege separation, or privsep, is an experimental feature in | |
2 | OpenSSH in which operations that require root privilege are performed | |
3 | by a separate privileged monitor process. Its purpose is to prevent | |
4 | privilege escalation by containing corruption to an unprivileged | |
5 | process. More information is available at: | |
6 | http://www.citi.umich.edu/u/provos/ssh/privsep.html | |
7 | ||
8 | Privilege separation is not enabled by default, and may be enabled by | |
9 | specifying "UsePrivilegeSeparation yes" in sshd_config; see the | |
10 | UsePrivilegeSeparation option in sshd(8). | |
11 | ||
12 | When privsep is enabled, the pre-authentication sshd process will | |
13 | chroot(2) to "/var/empty" and change its privileges to the "sshd" user | |
14 | and its primary group. You should do something like the following to | |
15 | prepare the privsep preauth environment: | |
16 | ||
17 | # mkdir /var/empty | |
18 | # chown root:sys /var/empty | |
19 | # chmod 755 /var/empty | |
20 | # groupadd sshd | |
21 | # useradd -g sshd sshd | |
22 | ||
23 | If you are on UnixWare 7 or OpenUNIX 8 do this additional step. | |
24 | # ln /usr/lib/.ns.so /usr/lib/ns.so.1 | |
25 | ||
26 | /var/empty should not contain any files. | |
27 | ||
28 | configure supports the following options to change the default | |
29 | privsep user and chroot directory: | |
30 | ||
31 | --with-privsep-path=xxx Path for privilege separation chroot | |
32 | --with-privsep-user=user Specify non-privileged user for privilege separation | |
33 | ||
34 | Privsep requires operating system support for file descriptor passing | |
35 | and mmap(MAP_ANON). | |
36 | ||
37 | PAM-enabled OpenSSH is known to function with privsep on Linux and | |
38 | Solaris 8. It does not function on HP-UX with a trusted system | |
39 | configuration. PAMAuthenticationViaKbdInt does not function with | |
40 | privsep. | |
41 | ||
42 | Note that for a normal interactive login with a shell, enabling privsep | |
43 | will require 1 additional process per login session. | |
44 | ||
45 | Given the following process listing (from HP-UX): | |
46 | ||
47 | UID PID PPID C STIME TTY TIME COMMAND | |
48 | root 1005 1 0 10:45:17 ? 0:08 /opt/openssh/sbin/sshd -u0 | |
49 | root 6917 1005 0 15:19:16 ? 0:00 sshd: stevesk [priv] | |
50 | stevesk 6919 6917 0 15:19:17 ? 0:03 sshd: stevesk@2 | |
51 | stevesk 6921 6919 0 15:19:17 pts/2 0:00 -bash | |
52 | ||
53 | process 1005 is the sshd process listening for new connections. | |
54 | process 6917 is the privileged monitor process, 6919 is the user owned | |
55 | sshd process and 6921 is the shell process. | |
56 | ||
57 | $Id$ |