diff options
| author | Darren Tucker <dtucker@dtucker.net> | 2019-09-19 15:41:23 +1000 |
|---|---|---|
| committer | Darren Tucker <dtucker@dtucker.net> | 2019-09-19 15:41:23 +1000 |
| commit | 5a273a33ca1410351cb484af7db7c13e8b4e8e4e (patch) | |
| tree | bf54186a04ea1f0a2ced7fc902f191c1d1a13ab6 | |
| parent | 8aa2aa3cd4d27d14e74b247c773696349472ef20 (diff) | |
Privsep is now required.
| -rw-r--r-- | INSTALL | 8 | ||||
| -rw-r--r-- | README.privsep | 11 |
2 files changed, 8 insertions, 11 deletions
@@ -24,6 +24,10 @@ If you must use a non-position-independent libcrypto, then you may need to configure OpenSSH --without-pie. Note that due to a bug in EVP_CipherInit OpenSSL 1.1 versions prior to 1.1.0g can't be used. +To support Privilege Separation (which is now required) you will need +to create the user, group and directory used by sshd for privilege +separation. See README.privsep for details. + The remaining items are optional. NB. If you operating system supports /dev/random, you should configure @@ -133,10 +137,6 @@ make install This will install the binaries in /opt/{bin,lib,sbin}, but will place the configuration files in /etc/ssh. -If you are using Privilege Separation (which is enabled by default) -then you will also need to create the user, group and directory used by -sshd for privilege separation. See README.privsep for details. - If you are using PAM, you may need to manually install a PAM control file as "/etc/pam.d/sshd" (or wherever your system prefers to keep them). Note that the service name used to start PAM is __progname, diff --git a/README.privsep b/README.privsep index 460e9056..d658c46d 100644 --- a/README.privsep +++ b/README.privsep @@ -5,13 +5,10 @@ escalation by containing corruption to an unprivileged process. More information is available at: http://www.citi.umich.edu/u/provos/ssh/privsep.html -Privilege separation is now enabled by default; see the -UsePrivilegeSeparation option in sshd_config(5). - -When privsep is enabled, during the pre-authentication phase sshd will -chroot(2) to "/var/empty" and change its privileges to the "sshd" user -and its primary group. sshd is a pseudo-account that should not be -used by other daemons, and must be locked and should contain a +Privilege separation is now mandatory. During the pre-authentication +phase sshd will chroot(2) to "/var/empty" and change its privileges to the +"sshd" user and its primary group. sshd is a pseudo-account that should +not be used by other daemons, and must be locked and should contain a "nologin" or invalid shell. You should do something like the following to prepare the privsep |