| Privilege separation, or privsep, is an experimental feature in |
| OpenSSH in which operations that require root privilege are performed |
| by a separate privileged monitor process. Its purpose is to prevent |
| privilege escalation by containing corruption to an unprivileged |
| process. More information is available at: |
| http://www.citi.umich.edu/u/provos/ssh/privsep.html |
| |
| Privilege separation is not enabled by default, and may be enabled by |
| specifying "UsePrivilegeSeparation yes" in sshd_config; see the |
| UsePrivilegeSeparation option in sshd(8). |
| |
| When privsep is enabled, the pre-authentication sshd process will |
| chroot(2) to "/var/empty" and change its privileges to the "sshd" user |
| and its primary group. You should do something like the following to |
| prepare the privsep preauth environment: |
| |
| # mkdir /var/empty |
| # chown root:sys /var/empty |
| # chmod 755 /var/empty |
| # groupadd sshd |
| # useradd -g sshd sshd |
| |
| /var/empty should not contain any files. |
| |
| configure supports the following options to change the default |
| privsep user and chroot directory: |
| |
| --with-privsep-path=xxx Path for privilege seperation chroot |
| --with-privsep-user=user Specify non-privileged user for privilege separation |
| |
| Privsep requires operating system support for file descriptor passing |
| and mmap(MAP_ANON). |
| |
| PAM currently only works with privsep on Linux. It does not function |
| on Solaris or HP-UX. PAMAuthenticationViaKbdInt does not function with |
| privsep. |
| |
| Note that for a normal interactive login with a shell, enabling privsep |
| will require 1 additional process per login session. |
| |
| Given the following process listing (from HP-UX): |
| |
| UID PID PPID C STIME TTY TIME COMMAND |
| root 1005 1 0 10:45:17 ? 0:08 /opt/openssh/sbin/sshd -u0 |
| root 6917 1005 0 15:19:16 ? 0:00 sshd: stevesk [priv] |
| stevesk 6919 6917 0 15:19:17 ? 0:03 sshd: stevesk@2 |
| stevesk 6921 6919 0 15:19:17 pts/2 0:00 -bash |
| |
| process 1005 is the sshd process listening for new connections. |
| process 6917 is the privileged monitor process, 6919 is the user owned |
| sshd process and 6921 is the shell process. |
| |
| $Id: README.privsep,v 1.1 2002/05/13 03:57:04 stevesk Exp $ |