Hi, This is included in the release now; any feedback? Privilege separation, or privsep, is method in OpenSSH by which operations that require root privilege are performed by a separate privileged monitor process. Its purpose is to prevent privilege escalation by containing corruption to an unprivileged process. More information is available at: http://www.citi.umich.edu/u/provos/ssh/privsep.html Privilege separation is now enabled by default; see the UsePrivilegeSeparation option in sshd_config(5). On systems which lack mmap or anonymous (MAP_ANON) memory mapping, compression must be disabled in order for privilege separation to function. When privsep is enabled, during the pre-authentication phase sshd will chroot(2) to "/var/empty" and change its privileges to the "sshd" user and its primary group. You should do something like the following to prepare the privsep preauth environment: # mkdir /var/empty # chown root:sys /var/empty # chmod 755 /var/empty # groupadd sshd # useradd -g sshd -c 'sshd privsep' -d /var/empty sshd If you are on UnixWare 7 or OpenUNIX 8 do this additional step. # ln /usr/lib/.ns.so /usr/lib/ns.so.1 /var/empty should not contain any files. configure supports the following options to change the default privsep user and chroot directory: --with-privsep-path=xxx Path for privilege separation chroot --with-privsep-user=user Specify non-privileged user for privilege separation Privsep requires operating system support for file descriptor passing and mmap(MAP_ANON). PAM-enabled OpenSSH is known to function with privsep on Linux. It does not function on HP-UX with a trusted system configuration. PAMAuthenticationViaKbdInt does not function with privsep. Note that for a normal interactive login with a shell, enabling privsep will require 1 additional process per login session. Given the following process listing (from HP-UX): UID PID PPID C STIME TTY TIME COMMAND root 1005 1 0 10:45:17 ? 0:08 /opt/openssh/sbin/sshd -u0 root 6917 1005 0 15:19:16 ? 0:00 sshd: stevesk [priv] stevesk 6919 6917 0 15:19:17 ? 0:03 sshd: stevesk at 2 stevesk 6921 6919 0 15:19:17 pts/2 0:00 -bash process 1005 is the sshd process listening for new connections. process 6917 is the privileged monitor process, 6919 is the user owned sshd process and 6921 is the shell process. $Id: README.privsep,v 1.8 2002/06/24 16:49:22 stevesk Exp $
Maybe we should state how to change the user and the chroot before the step by step. I can see someone changing the privsep user and whining about things not work. - Ben On Mon, 24 Jun 2002, Kevin Steves wrote:> Hi, > > This is included in the release now; any feedback? > > Privilege separation, or privsep, is method in OpenSSH by which > operations that require root privilege are performed by a separate > privileged monitor process. Its purpose is to prevent privilege > escalation by containing corruption to an unprivileged process. > More information is available at: > http://www.citi.umich.edu/u/provos/ssh/privsep.html > > Privilege separation is now enabled by default; see the > UsePrivilegeSeparation option in sshd_config(5). > > On systems which lack mmap or anonymous (MAP_ANON) memory mapping, > compression must be disabled in order for privilege separation to > function. > > When privsep is enabled, during the pre-authentication phase sshd will > chroot(2) to "/var/empty" and change its privileges to the "sshd" user > and its primary group. You should do something like the following to > prepare the privsep preauth environment: > > # mkdir /var/empty > # chown root:sys /var/empty > # chmod 755 /var/empty > # groupadd sshd > # useradd -g sshd -c 'sshd privsep' -d /var/empty sshd > > If you are on UnixWare 7 or OpenUNIX 8 do this additional step. > # ln /usr/lib/.ns.so /usr/lib/ns.so.1 > > /var/empty should not contain any files. > > configure supports the following options to change the default > privsep user and chroot directory: > > --with-privsep-path=xxx Path for privilege separation chroot > --with-privsep-user=user Specify non-privileged user for privilege separation > > Privsep requires operating system support for file descriptor passing > and mmap(MAP_ANON). > > PAM-enabled OpenSSH is known to function with privsep on Linux. > It does not function on HP-UX with a trusted system > configuration. PAMAuthenticationViaKbdInt does not function with > privsep. > > Note that for a normal interactive login with a shell, enabling privsep > will require 1 additional process per login session. > > Given the following process listing (from HP-UX): > > UID PID PPID C STIME TTY TIME COMMAND > root 1005 1 0 10:45:17 ? 0:08 /opt/openssh/sbin/sshd -u0 > root 6917 1005 0 15:19:16 ? 0:00 sshd: stevesk [priv] > stevesk 6919 6917 0 15:19:17 ? 0:03 sshd: stevesk at 2 > stevesk 6921 6919 0 15:19:17 pts/2 0:00 -bash > > process 1005 is the sshd process listening for new connections. > process 6917 is the privileged monitor process, 6919 is the user owned > sshd process and 6921 is the shell process. > > $Id: README.privsep,v 1.8 2002/06/24 16:49:22 stevesk Exp $ > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev >
Circa 2002-Jun-24 09:52:28 -0700 dixit Kevin Steves: : This is included in the release now; any feedback? [...] : When privsep is enabled, during the pre-authentication phase sshd will : chroot(2) to "/var/empty" and change its privileges to the "sshd" user : and its primary group. You should do something like the following to : prepare the privsep preauth environment: : : # mkdir /var/empty : # chown root:sys /var/empty I would rather say here: chown 0 /var/empty chgrp 0 /var/empty since several systems differ in which group is GID 0 (root, wheel, sys), and since a few systems differ in the syntax that chown accepts for specifying both UID and GID together ('chown uid:gid' versus 'chown uid.gid'). Recommending the above syntax avoids the problem entirely. : # chmod 755 /var/empty : # groupadd sshd : # useradd -g sshd -c 'sshd privsep' -d /var/empty sshd I'd also recommend '-s /dev/null' here, e.g.: useradd -g sshd -c 'sshd privsep' -d /var/empty \ -s /dev/null sshd since '/sbin/nologin' cannot be guaranteed to be present, nor is '/bin/false' always a binary program (i've seen some cases where it's a shell script). [...] : Privsep requires operating system support for file descriptor passing : and mmap(MAP_ANON). : : PAM-enabled OpenSSH is known to function with privsep on Linux. Would it be appropriate here to note that setting 'Compression no' in /etc/sshd_config is necessary on Linux systems with 2.2.x or older kernels? -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 262 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020624/cdb2f68c/attachment.bin
On Mon, 24 Jun 2002, Kevin Steves wrote:> Hi, > > If you are on UnixWare 7 or OpenUNIX 8 do this additional step. > # ln /usr/lib/.ns.so /usr/lib/ns.so.1Drop these two lines. If we are not going to do something like the patch below to fix the initgroups problem on UnixWare and some Linux, then add some lines like On UnixWare, OpenUNIX, and some Linux systems you will have to # mkdir /var/empty/etc # touch /var/empty/etc/group --- session.c.orig Mon Jun 24 07:29:13 2002 +++ session.c Mon Jun 24 18:49:49 2002 @@ -1180,6 +1180,7 @@ exit(1); } /* Initialize the group list. */ + if (strcmp(pw->pw_name, SSH_PRIVSEP_USER)) if (initgroups(pw->pw_name, pw->pw_gid) < 0) { perror("initgroups"); exit(1); -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net
On Mon, Jun 24, 2002 at 06:56:36PM -0700, Tim Rice wrote:> On Mon, 24 Jun 2002, Kevin Steves wrote: > > > Hi, > > > > If you are on UnixWare 7 or OpenUNIX 8 do this additional step. > > # ln /usr/lib/.ns.so /usr/lib/ns.so.1 > > Drop these two lines. If we are not going to do something like the patch > below to fix the initgroups problem on UnixWare and some Linux, then > add some lines like > > On UnixWare, OpenUNIX, and some Linux systems you will have to > # mkdir /var/empty/etc > # touch /var/empty/etc/groupwe have this now: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd.c.diff?r1=1.250&r2=1.251 the ln stuff can go away now?
Reasonably Related Threads
- Availablity of OpenSSH on SCO Unixware 7.1.2
- [Bug 423] Workaround for pw change in privsep mode (3.5.p1)
- [Bug 192] monitor.c:545: undefined reference to `auth_password with USE_PAM on
- [Bug 312] canhost.h needs to be included
- [Bug 205] PrivSep needs to be a compile-time option