README.privsep revision 149749 
1148771ScpercivaPrivilege separation, or privsep, is method in OpenSSH by which
2148771Scpercivaoperations that require root privilege are performed by a separate
3148771Scpercivaprivileged monitor process.  Its purpose is to prevent privilege
4148771Scpercivaescalation by containing corruption to an unprivileged process.
5148771ScpercivaMore information is available at:
6148771Scperciva	http://www.citi.umich.edu/u/provos/ssh/privsep.html
7148771Scperciva
8148771ScpercivaPrivilege separation is now enabled by default; see the
9148771ScpercivaUsePrivilegeSeparation option in sshd_config(5).
10148771Scperciva
11148771ScpercivaOn systems which lack mmap or anonymous (MAP_ANON) memory mapping,
12148771Scpercivacompression must be disabled in order for privilege separation to
13148771Scpercivafunction.
14148771Scperciva
15148771ScpercivaWhen privsep is enabled, during the pre-authentication phase sshd will
16148771Scpercivachroot(2) to "/var/empty" and change its privileges to the "sshd" user
17148771Scpercivaand its primary group.  sshd is a pseudo-account that should not be
18148771Scpercivaused by other daemons, and must be locked and should contain a
19148771Scperciva"nologin" or invalid shell.
20148771Scperciva
21148771ScpercivaYou should do something like the following to prepare the privsep
22148771Scpercivapreauth environment:
23148771Scperciva
24148771Scperciva	# mkdir /var/empty
25148771Scperciva	# chown root:sys /var/empty
26148771Scperciva	# chmod 755 /var/empty
27148771Scperciva	# groupadd sshd
28148771Scperciva	# useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd
29148771Scperciva
30148771Scperciva/var/empty should not contain any files.
31148771Scperciva
32148771Scpercivaconfigure supports the following options to change the default
33148771Scpercivaprivsep user and chroot directory:
34290546Sache
35148771Scperciva  --with-privsep-path=xxx Path for privilege separation chroot
36290546Sache  --with-privsep-user=user Specify non-privileged user for privilege separation
37290546Sache
38148771ScpercivaPrivsep requires operating system support for file descriptor passing.
39148771ScpercivaCompression will be disabled on systems without a working mmap MAP_ANON.
40148771Scperciva
41148771ScpercivaPAM-enabled OpenSSH is known to function with privsep on AIX, FreeBSD, 
42148771ScpercivaHP-UX (including Trusted Mode), Linux, NetBSD and Solaris.
43164922Scperciva
44164922ScpercivaOn Cygwin, Tru64 Unix, OpenServer, and Unicos only the pre-authentication
45164922Scpercivapart of privsep is supported.  Post-authentication privsep is disabled
46164922Scpercivaautomatically (so you won't see the additional process mentioned below).
47148771Scperciva
48148771ScpercivaNote that for a normal interactive login with a shell, enabling privsep
49148771Scpercivawill require 1 additional process per login session.
50148771Scperciva
51148771ScpercivaGiven the following process listing (from HP-UX):
52148771Scperciva
53148771Scperciva     UID   PID  PPID  C    STIME TTY       TIME COMMAND
54148771Scperciva    root  1005     1  0 10:45:17 ?         0:08 /opt/openssh/sbin/sshd -u0
55148771Scperciva    root  6917  1005  0 15:19:16 ?         0:00 sshd: stevesk [priv]
56148771Scperciva stevesk  6919  6917  0 15:19:17 ?         0:03 sshd: stevesk@2
57148771Scperciva stevesk  6921  6919  0 15:19:17 pts/2     0:00 -bash
58148771Scperciva
59148771Scpercivaprocess 1005 is the sshd process listening for new connections.
60148771Scpercivaprocess 6917 is the privileged monitor process, 6919 is the user owned
61148771Scpercivasshd process and 6921 is the shell process.
62148771Scperciva
63148771Scperciva$Id: README.privsep,v 1.16 2005/06/04 23:21:41 djm Exp $
64148771Scperciva