tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Privsep is now required.

This commit is contained in:
Darren Tucker 2019-09-19 15:41:23 +10:00
parent 8aa2aa3cd4
commit 5a273a33ca
2 changed files with 8 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
INSTALL
View File

@ -24,6 +24,10 @@ If you must use a non-position-independent libcrypto, then you may need
to configure OpenSSH --without-pie. Note that due to a bug in EVP_CipherInit to configure OpenSSH --without-pie. Note that due to a bug in EVP_CipherInit
OpenSSL 1.1 versions prior to 1.1.0g can't be used. OpenSSL 1.1 versions prior to 1.1.0g can't be used.
To support Privilege Separation (which is now required) you will need
to create the user, group and directory used by sshd for privilege
separation. See README.privsep for details.
The remaining items are optional. The remaining items are optional.
NB. If you operating system supports /dev/random, you should configure NB. If you operating system supports /dev/random, you should configure
@ -133,10 +137,6 @@ make install
This will install the binaries in /opt/{bin,lib,sbin}, but will place the This will install the binaries in /opt/{bin,lib,sbin}, but will place the
configuration files in /etc/ssh. configuration files in /etc/ssh.
If you are using Privilege Separation (which is enabled by default)
then you will also need to create the user, group and directory used by
sshd for privilege separation. See README.privsep for details.
If you are using PAM, you may need to manually install a PAM control If you are using PAM, you may need to manually install a PAM control
file as "/etc/pam.d/sshd" (or wherever your system prefers to keep file as "/etc/pam.d/sshd" (or wherever your system prefers to keep
them). Note that the service name used to start PAM is __progname, them). Note that the service name used to start PAM is __progname,

11
README.privsep
View File

@ -5,13 +5,10 @@ escalation by containing corruption to an unprivileged process.
More information is available at: More information is available at:
http://www.citi.umich.edu/u/provos/ssh/privsep.html http://www.citi.umich.edu/u/provos/ssh/privsep.html
Privilege separation is now enabled by default; see the Privilege separation is now mandatory. During the pre-authentication
UsePrivilegeSeparation option in sshd_config(5). phase sshd will chroot(2) to "/var/empty" and change its privileges to the
"sshd" user and its primary group. sshd is a pseudo-account that should
When privsep is enabled, during the pre-authentication phase sshd will not be used by other daemons, and must be locked and should contain a
chroot(2) to "/var/empty" and change its privileges to the "sshd" user
and its primary group. sshd is a pseudo-account that should not be
used by other daemons, and must be locked and should contain a
"nologin" or invalid shell. "nologin" or invalid shell.
You should do something like the following to prepare the privsep You should do something like the following to prepare the privsep