README.privsep revision 256281 
11573SrgrimesPrivilege separation, or privsep, is method in OpenSSH by which
21573Srgrimesoperations that require root privilege are performed by a separate
31573Srgrimesprivileged monitor process.  Its purpose is to prevent privilege
41573Srgrimesescalation by containing corruption to an unprivileged process.
51573SrgrimesMore information is available at:
61573Srgrimes	http://www.citi.umich.edu/u/provos/ssh/privsep.html
71573Srgrimes
81573SrgrimesPrivilege separation is now enabled by default; see the
91573SrgrimesUsePrivilegeSeparation option in sshd_config(5).
101573Srgrimes
111573SrgrimesOn systems which lack mmap or anonymous (MAP_ANON) memory mapping,
121573Srgrimescompression must be disabled in order for privilege separation to
131573Srgrimesfunction.
141573Srgrimes
151573SrgrimesWhen privsep is enabled, during the pre-authentication phase sshd will
161573Srgrimeschroot(2) to "/var/empty" and change its privileges to the "sshd" user
171573Srgrimesand its primary group.  sshd is a pseudo-account that should not be
181573Srgrimesused by other daemons, and must be locked and should contain a
191573Srgrimes"nologin" or invalid shell.
201573Srgrimes
211573SrgrimesYou should do something like the following to prepare the privsep
221573Srgrimespreauth environment:
231573Srgrimes
241573Srgrimes	# mkdir /var/empty
251573Srgrimes	# chown root:sys /var/empty
261573Srgrimes	# chmod 755 /var/empty
271573Srgrimes	# groupadd sshd
281573Srgrimes	# useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd
291573Srgrimes
301573Srgrimes/var/empty should not contain any files.
311573Srgrimes
321573Srgrimesconfigure supports the following options to change the default
3390045Sobrienprivsep user and chroot directory:
3490045Sobrien
351573Srgrimes  --with-privsep-path=xxx Path for privilege separation chroot
3671579Sdeischen  --with-privsep-user=user Specify non-privileged user for privilege separation
3742232Sbde
3842232SbdePrivsep requires operating system support for file descriptor passing.
3942232SbdeCompression will be disabled on systems without a working mmap MAP_ANON.
4042232Sbde
411573SrgrimesPAM-enabled OpenSSH is known to function with privsep on AIX, FreeBSD, 
421573SrgrimesHP-UX (including Trusted Mode), Linux, NetBSD and Solaris.
4342232Sbde
441573SrgrimesOn Cygwin, Tru64 Unix, OpenServer, and Unicos only the pre-authentication
451573Srgrimespart of privsep is supported.  Post-authentication privsep is disabled
461573Srgrimesautomatically (so you won't see the additional process mentioned below).
471573Srgrimes
48241440SstefanfNote that for a normal interactive login with a shell, enabling privsep
4971579Sdeischenwill require 1 additional process per login session.
501573Srgrimes
511573SrgrimesGiven the following process listing (from HP-UX):
521573Srgrimes
532569Sjkh     UID   PID  PPID  C    STIME TTY       TIME COMMAND
54113219Smdodd    root  1005     1  0 10:45:17 ?         0:08 /opt/openssh/sbin/sshd -u0
55113219Smdodd    root  6917  1005  0 15:19:16 ?         0:00 sshd: stevesk [priv]
56113219Smdodd stevesk  6919  6917  0 15:19:17 ?         0:03 sshd: stevesk@2
571573Srgrimes stevesk  6921  6919  0 15:19:17 pts/2     0:00 -bash
5890045Sobrien
5990045Sobrienprocess 1005 is the sshd process listening for new connections.
6090045Sobrienprocess 6917 is the privileged monitor process, 6919 is the user owned
611573Srgrimessshd process and 6921 is the shell process.
62113219Smdodd
63113219Smdodd$Id: README.privsep,v 1.16 2005/06/04 23:21:41 djm Exp $
64113219Smdodd