diff options
Diffstat (limited to 'crypto/openssh/README.privsep')
-rw-r--r-- | crypto/openssh/README.privsep | 21 |
1 files changed, 11 insertions, 10 deletions
diff --git a/crypto/openssh/README.privsep b/crypto/openssh/README.privsep index 6c798f3..ced943f 100644 --- a/crypto/openssh/README.privsep +++ b/crypto/openssh/README.privsep @@ -12,19 +12,20 @@ On systems which lack mmap or anonymous (MAP_ANON) memory mapping, compression must be disabled in order for privilege separation to function. -When privsep is enabled, the pre-authentication sshd process will +When privsep is enabled, during the pre-authentication phase sshd will chroot(2) to "/var/empty" and change its privileges to the "sshd" user -and its primary group. You should do something like the following to -prepare the privsep preauth environment: +and its primary group. sshd is a pseudo-account that should not be +used by other daemons, and must be locked and should contain a +"nologin" or invalid shell. + +You should do something like the following to prepare the privsep +preauth environment: # mkdir /var/empty # chown root:sys /var/empty # chmod 755 /var/empty # groupadd sshd - # useradd -g sshd sshd - -If you are on UnixWare 7 or OpenUNIX 8 do this additional step. - # ln /usr/lib/.ns.so /usr/lib/ns.so.1 + # useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd /var/empty should not contain any files. @@ -34,8 +35,8 @@ privsep user and chroot directory: --with-privsep-path=xxx Path for privilege separation chroot --with-privsep-user=user Specify non-privileged user for privilege separation -Privsep requires operating system support for file descriptor passing -and mmap(MAP_ANON). +Privsep requires operating system support for file descriptor passing. +Compression will be disabled on systems without a working mmap MAP_ANON. PAM-enabled OpenSSH is known to function with privsep on Linux. It does not function on HP-UX with a trusted system @@ -57,4 +58,4 @@ process 1005 is the sshd process listening for new connections. process 6917 is the privileged monitor process, 6919 is the user owned sshd process and 6921 is the shell process. -$Id: README.privsep,v 1.7 2002/06/21 14:48:02 djm Exp $ +$Id: README.privsep,v 1.10 2002/06/26 00:43:57 stevesk Exp $ |