Kevin Steves | 0228155 | 2002-05-13 03:57:04 +0000 | [diff] [blame] | 1 | Privilege separation, or privsep, is an experimental feature in |
| 2 | OpenSSH in which operations that require root privilege are performed |
| 3 | by a separate privileged monitor process. Its purpose is to prevent |
| 4 | privilege escalation by containing corruption to an unprivileged |
| 5 | process. More information is available at: |
| 6 | http://www.citi.umich.edu/u/provos/ssh/privsep.html |
| 7 | |
| 8 | Privilege separation is not enabled by default, and may be enabled by |
| 9 | specifying "UsePrivilegeSeparation yes" in sshd_config; see the |
| 10 | UsePrivilegeSeparation option in sshd(8). |
| 11 | |
| 12 | When privsep is enabled, the pre-authentication sshd process will |
| 13 | chroot(2) to "/var/empty" and change its privileges to the "sshd" user |
| 14 | and its primary group. You should do something like the following to |
| 15 | prepare the privsep preauth environment: |
| 16 | |
| 17 | # mkdir /var/empty |
| 18 | # chown root:sys /var/empty |
| 19 | # chmod 755 /var/empty |
| 20 | # groupadd sshd |
| 21 | # useradd -g sshd sshd |
| 22 | |
Tim Rice | 1e28c9e | 2002-05-13 17:07:18 -0700 | [diff] [blame] | 23 | If you are on UnixWare 7 or OpenUNIX 8 do this additional step. |
| 24 | # ln /usr/lib/.ns.so /usr/lib/ns.so.1 |
| 25 | |
Kevin Steves | 0228155 | 2002-05-13 03:57:04 +0000 | [diff] [blame] | 26 | /var/empty should not contain any files. |
| 27 | |
| 28 | configure supports the following options to change the default |
| 29 | privsep user and chroot directory: |
| 30 | |
Damien Miller | 74cc5bb | 2002-05-22 11:02:15 +1000 | [diff] [blame] | 31 | --with-privsep-path=xxx Path for privilege separation chroot |
Kevin Steves | 0228155 | 2002-05-13 03:57:04 +0000 | [diff] [blame] | 32 | --with-privsep-user=user Specify non-privileged user for privilege separation |
| 33 | |
| 34 | Privsep requires operating system support for file descriptor passing |
| 35 | and mmap(MAP_ANON). |
| 36 | |
Kevin Steves | f8defa2 | 2002-05-13 23:31:09 +0000 | [diff] [blame] | 37 | PAM-enabled OpenSSH is known to function with privsep on Linux and |
| 38 | Solaris 8. It does not function on HP-UX with a trusted system |
| 39 | configuration. PAMAuthenticationViaKbdInt does not function with |
Kevin Steves | 0228155 | 2002-05-13 03:57:04 +0000 | [diff] [blame] | 40 | privsep. |
| 41 | |
| 42 | Note that for a normal interactive login with a shell, enabling privsep |
| 43 | will require 1 additional process per login session. |
| 44 | |
| 45 | Given the following process listing (from HP-UX): |
| 46 | |
| 47 | UID PID PPID C STIME TTY TIME COMMAND |
| 48 | root 1005 1 0 10:45:17 ? 0:08 /opt/openssh/sbin/sshd -u0 |
| 49 | root 6917 1005 0 15:19:16 ? 0:00 sshd: stevesk [priv] |
| 50 | stevesk 6919 6917 0 15:19:17 ? 0:03 sshd: stevesk@2 |
| 51 | stevesk 6921 6919 0 15:19:17 pts/2 0:00 -bash |
| 52 | |
| 53 | process 1005 is the sshd process listening for new connections. |
| 54 | process 6917 is the privileged monitor process, 6919 is the user owned |
| 55 | sshd process and 6921 is the shell process. |
| 56 | |
Damien Miller | 74cc5bb | 2002-05-22 11:02:15 +1000 | [diff] [blame] | 57 | $Id: README.privsep,v 1.5 2002/05/22 01:02:15 djm Exp $ |