2002-06-21 16:45:50 +02:00
|
|
|
Privilege separation, or privsep, is method in OpenSSH by which
|
|
|
|
operations that require root privilege are performed by a separate
|
|
|
|
privileged monitor process. Its purpose is to prevent privilege
|
|
|
|
escalation by containing corruption to an unprivileged process.
|
|
|
|
More information is available at:
|
2002-05-13 05:57:04 +02:00
|
|
|
http://www.citi.umich.edu/u/provos/ssh/privsep.html
|
|
|
|
|
2002-06-21 16:45:50 +02:00
|
|
|
Privilege separation is now enabled by default; see the
|
|
|
|
UsePrivilegeSeparation option in sshd_config(5).
|
2002-05-13 05:57:04 +02:00
|
|
|
|
2002-06-21 16:48:02 +02:00
|
|
|
On systems which lack mmap or anonymous (MAP_ANON) memory mapping,
|
|
|
|
compression must be disabled in order for privilege separation to
|
|
|
|
function.
|
|
|
|
|
2002-06-24 18:49:22 +02:00
|
|
|
When privsep is enabled, during the pre-authentication phase sshd will
|
2002-05-13 05:57:04 +02:00
|
|
|
chroot(2) to "/var/empty" and change its privileges to the "sshd" user
|
|
|
|
and its primary group. You should do something like the following to
|
|
|
|
prepare the privsep preauth environment:
|
|
|
|
|
|
|
|
# mkdir /var/empty
|
|
|
|
# chown root:sys /var/empty
|
|
|
|
# chmod 755 /var/empty
|
|
|
|
# groupadd sshd
|
2002-06-24 18:49:22 +02:00
|
|
|
# useradd -g sshd -c 'sshd privsep' -d /var/empty sshd
|
2002-05-13 05:57:04 +02:00
|
|
|
|
|
|
|
/var/empty should not contain any files.
|
|
|
|
|
|
|
|
configure supports the following options to change the default
|
|
|
|
privsep user and chroot directory:
|
|
|
|
|
2002-05-22 03:02:15 +02:00
|
|
|
--with-privsep-path=xxx Path for privilege separation chroot
|
2002-05-13 05:57:04 +02:00
|
|
|
--with-privsep-user=user Specify non-privileged user for privilege separation
|
|
|
|
|
2002-06-26 02:25:47 +02:00
|
|
|
Privsep requires operating system support for file descriptor passing.
|
|
|
|
Compression will be disabled on systems without a working mmap MAP_ANON.
|
2002-05-13 05:57:04 +02:00
|
|
|
|
2002-06-21 16:45:50 +02:00
|
|
|
PAM-enabled OpenSSH is known to function with privsep on Linux.
|
|
|
|
It does not function on HP-UX with a trusted system
|
2002-05-14 01:31:09 +02:00
|
|
|
configuration. PAMAuthenticationViaKbdInt does not function with
|
2002-05-13 05:57:04 +02:00
|
|
|
privsep.
|
|
|
|
|
|
|
|
Note that for a normal interactive login with a shell, enabling privsep
|
|
|
|
will require 1 additional process per login session.
|
|
|
|
|
|
|
|
Given the following process listing (from HP-UX):
|
|
|
|
|
|
|
|
UID PID PPID C STIME TTY TIME COMMAND
|
|
|
|
root 1005 1 0 10:45:17 ? 0:08 /opt/openssh/sbin/sshd -u0
|
|
|
|
root 6917 1005 0 15:19:16 ? 0:00 sshd: stevesk [priv]
|
|
|
|
stevesk 6919 6917 0 15:19:17 ? 0:03 sshd: stevesk@2
|
|
|
|
stevesk 6921 6919 0 15:19:17 pts/2 0:00 -bash
|
|
|
|
|
|
|
|
process 1005 is the sshd process listening for new connections.
|
|
|
|
process 6917 is the privileged monitor process, 6919 is the user owned
|
|
|
|
sshd process and 6921 is the shell process.
|
|
|
|
|
2002-06-26 02:25:47 +02:00
|
|
|
$Id: README.privsep,v 1.9 2002/06/26 00:25:48 tim Exp $
|