1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
1 |
Privilege separation, or privsep, is method in OpenSSH by which |
2 |
operations that require root privilege are performed by a separate |
|
3 |
privileged monitor process. Its purpose is to prevent privilege |
|
4 |
escalation by containing corruption to an unprivileged process. |
|
5 |
More information is available at: |
|
6 |
http://www.citi.umich.edu/u/provos/ssh/privsep.html |
|
7 |
||
8 |
Privilege separation is now enabled by default; see the |
|
9 |
UsePrivilegeSeparation option in sshd_config(5). |
|
10 |
||
11 |
On systems which lack mmap or anonymous (MAP_ANON) memory mapping, |
|
12 |
compression must be disabled in order for privilege separation to |
|
13 |
function. |
|
14 |
||
15 |
When privsep is enabled, during the pre-authentication phase sshd will |
|
16 |
chroot(2) to "/var/empty" and change its privileges to the "sshd" user |
|
17 |
and its primary group. sshd is a pseudo-account that should not be |
|
18 |
used by other daemons, and must be locked and should contain a |
|
19 |
"nologin" or invalid shell. |
|
20 |
||
21 |
You should do something like the following to prepare the privsep |
|
22 |
preauth environment: |
|
23 |
||
24 |
# mkdir /var/empty
|
|
25 |
# chown root:sys /var/empty
|
|
26 |
# chmod 755 /var/empty
|
|
27 |
# groupadd sshd
|
|
28 |
# useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd
|
|
29 |
||
30 |
/var/empty should not contain any files. |
|
31 |
||
32 |
configure supports the following options to change the default |
|
33 |
privsep user and chroot directory: |
|
34 |
||
35 |
--with-privsep-path=xxx Path for privilege separation chroot |
|
36 |
--with-privsep-user=user Specify non-privileged user for privilege separation |
|
37 |
||
38 |
Privsep requires operating system support for file descriptor passing. |
|
39 |
Compression will be disabled on systems without a working mmap MAP_ANON. |
|
40 |
||
1.1.3
by Colin Watson
Import upstream version 4.2p1 |
41 |
PAM-enabled OpenSSH is known to function with privsep on AIX, FreeBSD, |
42 |
HP-UX (including Trusted Mode), Linux, NetBSD and Solaris. |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
43 |
|
1.1.1
by Colin Watson
Import upstream version 3.9p1 |
44 |
On Cygwin, Tru64 Unix, OpenServer, and Unicos only the pre-authentication |
45 |
part of privsep is supported. Post-authentication privsep is disabled |
|
46 |
automatically (so you won't see the additional process mentioned below). |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
47 |
|
48 |
Note that for a normal interactive login with a shell, enabling privsep |
|
49 |
will require 1 additional process per login session. |
|
50 |
||
51 |
Given the following process listing (from HP-UX): |
|
52 |
||
53 |
UID PID PPID C STIME TTY TIME COMMAND |
|
54 |
root 1005 1 0 10:45:17 ? 0:08 /opt/openssh/sbin/sshd -u0 |
|
55 |
root 6917 1005 0 15:19:16 ? 0:00 sshd: stevesk [priv] |
|
56 |
stevesk 6919 6917 0 15:19:17 ? 0:03 sshd: stevesk@2 |
|
57 |
stevesk 6921 6919 0 15:19:17 pts/2 0:00 -bash |
|
58 |
||
59 |
process 1005 is the sshd process listening for new connections. |
|
60 |
process 6917 is the privileged monitor process, 6919 is the user owned |
|
61 |
sshd process and 6921 is the shell process. |
|
62 |
||
1.1.3
by Colin Watson
Import upstream version 4.2p1 |
63 |
$Id: README.privsep,v 1.16 2005/06/04 23:21:41 djm Exp $ |