README.privsep revision 256281
11573SrgrimesPrivilege separation, or privsep, is method in OpenSSH by which 21573Srgrimesoperations that require root privilege are performed by a separate 31573Srgrimesprivileged monitor process. Its purpose is to prevent privilege 41573Srgrimesescalation by containing corruption to an unprivileged process. 51573SrgrimesMore information is available at: 61573Srgrimes http://www.citi.umich.edu/u/provos/ssh/privsep.html 71573Srgrimes 81573SrgrimesPrivilege separation is now enabled by default; see the 91573SrgrimesUsePrivilegeSeparation option in sshd_config(5). 101573Srgrimes 111573SrgrimesOn systems which lack mmap or anonymous (MAP_ANON) memory mapping, 121573Srgrimescompression must be disabled in order for privilege separation to 131573Srgrimesfunction. 141573Srgrimes 151573SrgrimesWhen privsep is enabled, during the pre-authentication phase sshd will 161573Srgrimeschroot(2) to "/var/empty" and change its privileges to the "sshd" user 171573Srgrimesand its primary group. sshd is a pseudo-account that should not be 181573Srgrimesused by other daemons, and must be locked and should contain a 191573Srgrimes"nologin" or invalid shell. 201573Srgrimes 211573SrgrimesYou should do something like the following to prepare the privsep 221573Srgrimespreauth environment: 231573Srgrimes 241573Srgrimes # mkdir /var/empty 251573Srgrimes # chown root:sys /var/empty 261573Srgrimes # chmod 755 /var/empty 271573Srgrimes # groupadd sshd 281573Srgrimes # useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd 291573Srgrimes 301573Srgrimes/var/empty should not contain any files. 311573Srgrimes 321573Srgrimesconfigure supports the following options to change the default 3390045Sobrienprivsep user and chroot directory: 3490045Sobrien 351573Srgrimes --with-privsep-path=xxx Path for privilege separation chroot 3671579Sdeischen --with-privsep-user=user Specify non-privileged user for privilege separation 3742232Sbde 3842232SbdePrivsep requires operating system support for file descriptor passing. 3942232SbdeCompression will be disabled on systems without a working mmap MAP_ANON. 4042232Sbde 411573SrgrimesPAM-enabled OpenSSH is known to function with privsep on AIX, FreeBSD, 421573SrgrimesHP-UX (including Trusted Mode), Linux, NetBSD and Solaris. 4342232Sbde 441573SrgrimesOn Cygwin, Tru64 Unix, OpenServer, and Unicos only the pre-authentication 451573Srgrimespart of privsep is supported. Post-authentication privsep is disabled 461573Srgrimesautomatically (so you won't see the additional process mentioned below). 471573Srgrimes 48241440SstefanfNote that for a normal interactive login with a shell, enabling privsep 4971579Sdeischenwill require 1 additional process per login session. 501573Srgrimes 511573SrgrimesGiven the following process listing (from HP-UX): 521573Srgrimes 532569Sjkh UID PID PPID C STIME TTY TIME COMMAND 54113219Smdodd root 1005 1 0 10:45:17 ? 0:08 /opt/openssh/sbin/sshd -u0 55113219Smdodd root 6917 1005 0 15:19:16 ? 0:00 sshd: stevesk [priv] 56113219Smdodd stevesk 6919 6917 0 15:19:17 ? 0:03 sshd: stevesk@2 571573Srgrimes stevesk 6921 6919 0 15:19:17 pts/2 0:00 -bash 5890045Sobrien 5990045Sobrienprocess 1005 is the sshd process listening for new connections. 6090045Sobrienprocess 6917 is the privileged monitor process, 6919 is the user owned 611573Srgrimessshd process and 6921 is the shell process. 62113219Smdodd 63113219Smdodd$Id: README.privsep,v 1.16 2005/06/04 23:21:41 djm Exp $ 64113219Smdodd