1 | Privilege separation, or privsep, is method in OpenSSH by which |
---|
2 | operations that require root privilege are performed by a separate |
---|
3 | privileged monitor process. Its purpose is to prevent privilege |
---|
4 | escalation by containing corruption to an unprivileged process. |
---|
5 | More information is available at: |
---|
6 | http://www.citi.umich.edu/u/provos/ssh/privsep.html |
---|
7 | |
---|
8 | Privilege separation is now enabled by default; see the |
---|
9 | UsePrivilegeSeparation option in sshd_config(5). |
---|
10 | |
---|
11 | On systems which lack mmap or anonymous (MAP_ANON) memory mapping, |
---|
12 | compression must be disabled in order for privilege separation to |
---|
13 | function. |
---|
14 | |
---|
15 | When privsep is enabled, during the pre-authentication phase sshd will |
---|
16 | chroot(2) to "/var/empty" and change its privileges to the "sshd" user |
---|
17 | and its primary group. sshd is a pseudo-account that should not be |
---|
18 | used by other daemons, and must be locked and should contain a |
---|
19 | "nologin" or invalid shell. |
---|
20 | |
---|
21 | You should do something like the following to prepare the privsep |
---|
22 | preauth environment: |
---|
23 | |
---|
24 | # mkdir /var/empty |
---|
25 | # chown root:sys /var/empty |
---|
26 | # chmod 755 /var/empty |
---|
27 | # groupadd sshd |
---|
28 | # useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd |
---|
29 | |
---|
30 | /var/empty should not contain any files. |
---|
31 | |
---|
32 | configure supports the following options to change the default |
---|
33 | privsep user and chroot directory: |
---|
34 | |
---|
35 | --with-privsep-path=xxx Path for privilege separation chroot |
---|
36 | --with-privsep-user=user Specify non-privileged user for privilege separation |
---|
37 | |
---|
38 | Privsep requires operating system support for file descriptor passing. |
---|
39 | Compression will be disabled on systems without a working mmap MAP_ANON. |
---|
40 | |
---|
41 | PAM-enabled OpenSSH is known to function with privsep on Linux. |
---|
42 | It does not function on HP-UX with a trusted system |
---|
43 | configuration. PAMAuthenticationViaKbdInt does not function with |
---|
44 | privsep. |
---|
45 | |
---|
46 | Note that for a normal interactive login with a shell, enabling privsep |
---|
47 | will require 1 additional process per login session. |
---|
48 | |
---|
49 | Given the following process listing (from HP-UX): |
---|
50 | |
---|
51 | UID PID PPID C STIME TTY TIME COMMAND |
---|
52 | root 1005 1 0 10:45:17 ? 0:08 /opt/openssh/sbin/sshd -u0 |
---|
53 | root 6917 1005 0 15:19:16 ? 0:00 sshd: stevesk [priv] |
---|
54 | stevesk 6919 6917 0 15:19:17 ? 0:03 sshd: stevesk@2 |
---|
55 | stevesk 6921 6919 0 15:19:17 pts/2 0:00 -bash |
---|
56 | |
---|
57 | process 1005 is the sshd process listening for new connections. |
---|
58 | process 6917 is the privileged monitor process, 6919 is the user owned |
---|
59 | sshd process and 6921 is the shell process. |
---|
60 | |
---|
61 | $Id: README.privsep,v 1.1.1.1 2003-02-05 19:03:14 zacheiss Exp $ |
---|