- djm@cvs.openbsd.org 2012/07/10 02:19:15
[servconf.c servconf.h sshd.c sshd_config]
Turn on systrace sandboxing of pre-auth sshd by default for new installs
by shipping a config that overrides the current UsePrivilegeSeparation=yes
default. Make it easier to flip the default in the future by adding too.
diff --git a/sshd_config b/sshd_config
index ec3ca2a..9424ee2 100644
--- a/sshd_config
+++ b/sshd_config
@@ -1,4 +1,4 @@
-# $OpenBSD: sshd_config,v 1.86 2012/04/12 02:43:55 djm Exp $
+# $OpenBSD: sshd_config,v 1.87 2012/07/10 02:19:15 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
@@ -99,7 +99,7 @@
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
-#UsePrivilegeSeparation yes
+UsePrivilegeSeparation sandbox # Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0