summaryrefslogtreecommitdiffstats
path: root/crypto/openssh/README.privsep
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/openssh/README.privsep')
-rw-r--r--crypto/openssh/README.privsep21
1 files changed, 11 insertions, 10 deletions
diff --git a/crypto/openssh/README.privsep b/crypto/openssh/README.privsep
index 6c798f3..ced943f 100644
--- a/crypto/openssh/README.privsep
+++ b/crypto/openssh/README.privsep
@@ -12,19 +12,20 @@ On systems which lack mmap or anonymous (MAP_ANON) memory mapping,
compression must be disabled in order for privilege separation to
function.
-When privsep is enabled, the pre-authentication sshd process will
+When privsep is enabled, during the pre-authentication phase sshd will
chroot(2) to "/var/empty" and change its privileges to the "sshd" user
-and its primary group. You should do something like the following to
-prepare the privsep preauth environment:
+and its primary group. sshd is a pseudo-account that should not be
+used by other daemons, and must be locked and should contain a
+"nologin" or invalid shell.
+
+You should do something like the following to prepare the privsep
+preauth environment:
# mkdir /var/empty
# chown root:sys /var/empty
# chmod 755 /var/empty
# groupadd sshd
- # useradd -g sshd sshd
-
-If you are on UnixWare 7 or OpenUNIX 8 do this additional step.
- # ln /usr/lib/.ns.so /usr/lib/ns.so.1
+ # useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd
/var/empty should not contain any files.
@@ -34,8 +35,8 @@ privsep user and chroot directory:
--with-privsep-path=xxx Path for privilege separation chroot
--with-privsep-user=user Specify non-privileged user for privilege separation
-Privsep requires operating system support for file descriptor passing
-and mmap(MAP_ANON).
+Privsep requires operating system support for file descriptor passing.
+Compression will be disabled on systems without a working mmap MAP_ANON.
PAM-enabled OpenSSH is known to function with privsep on Linux.
It does not function on HP-UX with a trusted system
@@ -57,4 +58,4 @@ process 1005 is the sshd process listening for new connections.
process 6917 is the privileged monitor process, 6919 is the user owned
sshd process and 6921 is the shell process.
-$Id: README.privsep,v 1.7 2002/06/21 14:48:02 djm Exp $
+$Id: README.privsep,v 1.10 2002/06/26 00:43:57 stevesk Exp $
OpenPOWER on IntegriCloud