search for: ssh_privsep_user

Hi, Right now, the unprivileged account for privilege separation is only configurable at compile time (SSH_PRIVSEP_USER). I'd like to ask if it would be acceptable to have the account runtime configurable by adding something like PrivilegeSeparationAccount foo to sshd_config. The reason I'm asking is this. I'm working on a long overdue change to Cygwin which is supposed to get rid of the /etc/pass...

...=================================================================== RCS file: /cvs/openssh/sshd.c,v retrieving revision 1.200 diff -u -r1.200 sshd.c --- sshd.c 2 Apr 2002 20:48:20 -0000 1.200 +++ sshd.c 18 Apr 2002 13:36:04 -0000 @@ -536,7 +536,7 @@ demote_sensitive_data(); if ((pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) - fatal("%s: no user", SSH_PRIVSEP_USER); + fatal("no user: %s", SSH_PRIVSEP_USER); memset(pw->pw_passwd, 0, strlen(pw->pw_passwd)); endpwent();

...-u -r1.5 buildpkg.sh --- contrib/solaris/buildpkg.sh 9 Jul 2002 02:02:11 -0000 1.5 +++ contrib/solaris/buildpkg.sh 15 Jul 2002 12:32:49 -0000 @@ -98,6 +98,19 @@ eval $confvar=`grep "^$confvar=" Makefile | cut -d = -f 2` done + +## Collect value of privsep user +for confvar in SSH_PRIVSEP_USER +do + eval $confvar=`awk '/#define[ \t]'$confvar'/{print $3}' config.h` +done + +## Set privsep defaults if not defined +if [ -z "$SSH_PRIVSEP_USER" ] +then + SSH_PRIVSEP_USER=sshd +fi + ## Extract common info requires for the 'info' part of the pack...

...5-09-01 10:15:22.000000000 +0100 +++ openssh-4.2p1/config.h.in 2006-01-07 17:44:23.000000000 +0000 @@ -152,6 +152,9 @@ /* Builtin PRNG command timeout */ #undef ENTROPY_TIMEOUT_MSEC +/* Use privilege separation */ +#undef USE_PRIVSEP + /* non-privileged user for privilege separation */ #undef SSH_PRIVSEP_USER --- openssh-4.2p1/configure.ac~ 2005-08-31 17:59:49.000000000 +0100 +++ openssh-4.2p1/configure.ac 2006-01-07 18:41:38.000000000 +0000 @@ -1873,6 +1873,16 @@ AC_ARG_WITH(entropy-timeout, ) AC_DEFINE_UNQUOTED(ENTROPY_TIMEOUT_MSEC, $entropy_timeout) +use_privsep=1 + +AC_ARG_WITH(privsep, + [ -...

...grep ssh' to see if the privsep user has been created. The trouble is that invoking 'lsusers ALL' takes TWO HOURS to complete at a particular site with thousands of users! The simple fix to contrib/aix/buildbff.sh was: 225c225 < if lsuser ALL | cut -f1 -d: | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null --- > if lsuser "$SSH_PRIVSEP_USER" >/dev/null ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

...) + fatal("chdir(\"%s\"): %s", emptydir, strerror(errno)); + if (write(pmonitor->m_sendfd, &status, 1) < 0) + fatal("write(): %s", strerror(errno)); close(pmonitor->m_sendfd); /* Demote the child */ @@ -1008,10 +1027,6 @@ if ((pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) fatal("Privilege separation user %s does not exist", SSH_PRIVSEP_USER); - if ((stat(_PATH_PRIVSEP_CHROOT_DIR, &st) == -1) || - (S_ISDIR(st.st_mode) == 0)) - fatal("Missing privilege separation directory: %s", - _PATH_PRIVSEP_CHROOT_DIR);...

...method shows that a utmp entry does get made for the tty. There are several issues I see with this configuration, but I don't think any pose insurmountable problems: - There is an #if'd-out call to do_setusercontext() in the subroutine privsep_preauth_child(), which means that the SSH_PRIVSEP_USER would be run through the session_setup_sia() should the '#if 0' preprocessor directive be removed. I don't want SSH_PRIVSEP_USER to be passed through session_setup_sia(), because I like that account to be locked and the session setup stuff would fail in this case....

OpenSSH 7.5 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. OpenSSH also includes transitional support for the legacy SSH 1.3 and 1.5 protocols that may be enabled at compile-time. Once again, we would like to thank the OpenSSH community

...gt; diff --git a/sshd.c b/sshd.c > > index 010a2c3..4f9b2c8 100644 > > --- a/sshd.c > > +++ b/sshd.c > > @@ -1641,7 +1641,8 @@ main(int ac, char **av) > > > > /* Store privilege separation user for later use if required. */ > > if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) { > > - if (use_privsep || options.kerberos_authentication) > > + if ((use_privsep || options.kerberos_authentication) > > + && (getuid() == 0 || geteuid() == 0)) > > fatal("Privilege separation user %s does not exist", > >...

...ve been trying to resolve issues shown by bug 302 as i`m getting error id sshd || \ echo "WARNING: Privilege separation user \"sshd\" does not exist" when running a make install. The bug fix advises to change id sshd to id sshd - t in makefile.in however I only have id $(SSH_PRIVSEP_USER) in my makefile.in. When i substitute sshd -t for the variable I still get the same error. Your help would be much appreciated. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

...etstat' PROG_PS='/bin/ps' PROG_SAR='undef' PROG_TAIL='/bin/tail' PROG_UPTIME='undef' PROG_VMSTAT='undef' PROG_W='undef' PROG_WHO='/bin/who' RANLIB='ranlib' SED='/usr/bin/sed' SH='/usr/bin/sh' SHELL='/bin/sh' SSH_PRIVSEP_USER='sshd' STARTUP_SCRIPT_SHELL='/bin/sh' STRIP_OPT='-s' TEST_MINUS_S_SH='/usr/bin/bash' TEST_SHELL='sh' XAUTH_PATH='undefined' ac_ct_CC='gcc' ac_ct_RANLIB='ranlib' bindir='${exec_prefix}/bin' build='i686-pc-cygwin' build_a...

...v/systrace.h> +]) +AC_CHECK_DECL([RLIMIT_NPROC], + [AC_DEFINE([HAVE_RLIMIT_NPROC], [], [sys/resource.h has RLIMIT_NPROC])], , [ + #include <sys/types.h> + #include <sys/resource.h> +]) use_stack_protector=1 AC_ARG_WITH([stackprotect], @@ -2461,6 +2471,34 @@ AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], [ [non-privileged user for privilege separation]) AC_SUBST([SSH_PRIVSEP_USER]) +# Decide which sandbox style to use +sandbox_arg="" +AC_ARG_WITH([sandbox], + [ --with-sandbox=style Specify privilege separation sandbox (no, rlimit, systrace)], + [ + if test "x$withval&quot...

...versions differ for %s: %.200s vs. %.200s", @@ -583,7 +613,25 @@ /* Store a pointer to the kex for later rekeying */ pmonitor->m_pkex = &xxx_kex; +#if #system(bs2000) + { + char *upper; + /* BS2000(PSD/POSIX) ufork needs the user name in UPPER case */ + upper = xstrdup(SSH_PRIVSEP_USER); + strupper(upper, NULL); + if ((pid = ufork(upper)) == -1 && errno == EPERM) { + if (getpwnam(SSH_PRIVSEP_USER) == NULL) + fatal("Privilege separation user %s does not exist", + SSH_PRIVSEP_USER); +...

Hi, This is included in the release now; any feedback? Privilege separation, or privsep, is method in OpenSSH by which operations that require root privilege are performed by a separate privileged monitor process. Its purpose is to prevent privilege escalation by containing corruption to an unprivileged process. More information is available at:

http://bugzilla.mindrot.org/show_bug.cgi?id=651 ------- Additional Comments From vikashb at comparexafrica.co.za 2003-12-30 16:39 ------- tried openssh-SNAP-20031223 does not compile: (cd openbsd-compat && make) gcc -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I.. -I. -I./.. -I/usr/local/ssl/include -Dftruncate=chsize -I/usr/local/include -DHAVE_CONFIG_H -c

...else + SCTP_MSG="no" + fi + ] +) + +if test "x$SCTP_MSG" = "xyes"; then + if test "x$have_sctp" != "xyes" ; then + AC_MSG_ERROR([SCTP support not found]) + fi + + AC_DEFINE([USE_SCTP], [1], + [Define if you want to enable SCTP support]) +fi + SSH_PRIVSEP_USER=sshd AC_ARG_WITH([privsep-user], [ --with-privsep-user=user Specify non-privileged user for privilege separation], @@ -4838,6 +4865,7 @@ echo " sshd superuser user PATH: $J" fi echo " Manpage format: $MANTYPE" echo "...

...f WITH_AIXAUTHENTICATE */ /* #undef AIX_LOGINFAILED_4ARG */ /* #undef SKEYCHALLENGE_4ARG */ /* #undef WITH_IRIX_ARRAY */ /* #undef WITH_IRIX_PROJECT */ /* #undef WITH_IRIX_AUDIT */ /* #undef WITH_IRIX_JOBS */ /* #undef PRNGD_SOCKET */ /* #undef PRNGD_PORT */ #define ENTROPY_TIMEOUT_MSEC 200 #define SSH_PRIVSEP_USER "sshd" /* #undef MANTYPE */ #define HAVE_OPENSSL 1 /* #undef RSAREF */ #define HAVE_STRUCT_TIMEVAL 1 #define HAVE_HOST_IN_UTMP 1 #define HAVE_HOST_IN_UTMPX 1 #define HAVE_ADDR_IN_UTMP 1 #define HAVE_ADDR_IN_UTMPX 1 #define HAVE_ADDR_V6_IN_UTMP 1 #define HAVE_ADDR_V6_IN_UTMPX 1 /* #undef H...

Hi, The main (and probably the only) use case of this PAM module is to let sudo authenticate users via their ssh-agent, therefore without having to type any password and without being tempted to use the NOPASSWD sudo option for such convenience. The principle is originally implemented by an existing module [0][1] and many pages that explain how to use it for such purpose can be found online.

...nd %s", name); --- openssh-4.7p1/Makefile.in Tue Dec 18 02:42:38 2007 +++ openssh-4.7p1/Makefile.in Tue Dec 18 02:42:21 2007 @@ -18,6 +18,7 @@ piddir=@piddir@ srcdir=@srcdir@ top_srcdir=@top_srcdir@ +ssldir=@ssldir@ DESTDIR= VPATH=@srcdir@ @@ -29,6 +30,7 @@ PRIVSEP_PATH=@PRIVSEP_PATH@ SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ STRIP_OPT=@STRIP_OPT@ +FIPS_MODE=@FIPS_MODE@ PATHS= -DSSHDIR=\"$(sysconfdir)\" \ -D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \ @@ -252,12 +254,18 @@ $(srcdir)/mkinstalldirs $(DESTDIR)$(libexecdir) (umask 022 ; $(srcdir)/mkinstalldirs $(DESTDIR)$(PRIVSEP_P...