README.privsep revision 149749
1148771ScpercivaPrivilege separation, or privsep, is method in OpenSSH by which 2148771Scpercivaoperations that require root privilege are performed by a separate 3148771Scpercivaprivileged monitor process. Its purpose is to prevent privilege 4148771Scpercivaescalation by containing corruption to an unprivileged process. 5148771ScpercivaMore information is available at: 6148771Scperciva http://www.citi.umich.edu/u/provos/ssh/privsep.html 7148771Scperciva 8148771ScpercivaPrivilege separation is now enabled by default; see the 9148771ScpercivaUsePrivilegeSeparation option in sshd_config(5). 10148771Scperciva 11148771ScpercivaOn systems which lack mmap or anonymous (MAP_ANON) memory mapping, 12148771Scpercivacompression must be disabled in order for privilege separation to 13148771Scpercivafunction. 14148771Scperciva 15148771ScpercivaWhen privsep is enabled, during the pre-authentication phase sshd will 16148771Scpercivachroot(2) to "/var/empty" and change its privileges to the "sshd" user 17148771Scpercivaand its primary group. sshd is a pseudo-account that should not be 18148771Scpercivaused by other daemons, and must be locked and should contain a 19148771Scperciva"nologin" or invalid shell. 20148771Scperciva 21148771ScpercivaYou should do something like the following to prepare the privsep 22148771Scpercivapreauth environment: 23148771Scperciva 24148771Scperciva # mkdir /var/empty 25148771Scperciva # chown root:sys /var/empty 26148771Scperciva # chmod 755 /var/empty 27148771Scperciva # groupadd sshd 28148771Scperciva # useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd 29148771Scperciva 30148771Scperciva/var/empty should not contain any files. 31148771Scperciva 32148771Scpercivaconfigure supports the following options to change the default 33148771Scpercivaprivsep user and chroot directory: 34290546Sache 35148771Scperciva --with-privsep-path=xxx Path for privilege separation chroot 36290546Sache --with-privsep-user=user Specify non-privileged user for privilege separation 37290546Sache 38148771ScpercivaPrivsep requires operating system support for file descriptor passing. 39148771ScpercivaCompression will be disabled on systems without a working mmap MAP_ANON. 40148771Scperciva 41148771ScpercivaPAM-enabled OpenSSH is known to function with privsep on AIX, FreeBSD, 42148771ScpercivaHP-UX (including Trusted Mode), Linux, NetBSD and Solaris. 43164922Scperciva 44164922ScpercivaOn Cygwin, Tru64 Unix, OpenServer, and Unicos only the pre-authentication 45164922Scpercivapart of privsep is supported. Post-authentication privsep is disabled 46164922Scpercivaautomatically (so you won't see the additional process mentioned below). 47148771Scperciva 48148771ScpercivaNote that for a normal interactive login with a shell, enabling privsep 49148771Scpercivawill require 1 additional process per login session. 50148771Scperciva 51148771ScpercivaGiven the following process listing (from HP-UX): 52148771Scperciva 53148771Scperciva UID PID PPID C STIME TTY TIME COMMAND 54148771Scperciva root 1005 1 0 10:45:17 ? 0:08 /opt/openssh/sbin/sshd -u0 55148771Scperciva root 6917 1005 0 15:19:16 ? 0:00 sshd: stevesk [priv] 56148771Scperciva stevesk 6919 6917 0 15:19:17 ? 0:03 sshd: stevesk@2 57148771Scperciva stevesk 6921 6919 0 15:19:17 pts/2 0:00 -bash 58148771Scperciva 59148771Scpercivaprocess 1005 is the sshd process listening for new connections. 60148771Scpercivaprocess 6917 is the privileged monitor process, 6919 is the user owned 61148771Scpercivasshd process and 6921 is the shell process. 62148771Scperciva 63148771Scperciva$Id: README.privsep,v 1.16 2005/06/04 23:21:41 djm Exp $ 64148771Scperciva