diff options
| author | Kevin Steves <stevesk@pobox.com> | 2002-06-26 00:43:57 +0000 |
|---|---|---|
| committer | Kevin Steves <stevesk@pobox.com> | 2002-06-26 00:43:57 +0000 |
| commit | 40b011c7fe2aede4e43be7049f074ab7c2347b2c (patch) | |
| tree | aa787bba8cf2d62f9164324e05c0aab1a3266f7c | |
| parent | 4e3c631b709d178c7df1634f401f087dcd604071 (diff) | |
- (stevesk) [README.privsep] more for sshd pseudo-account.
| -rw-r--r-- | ChangeLog | 3 | ||||
| -rw-r--r-- | README.privsep | 12 |
2 files changed, 10 insertions, 5 deletions
| @@ -32,6 +32,7 @@ | |||
| 32 | - (tim) [README.privsep] UnixWare tip no longer needed. | 32 | - (tim) [README.privsep] UnixWare tip no longer needed. |
| 33 | - (bal) fixed NeXTStep missing munmap() issue. It defines HAVE_MMAP, | 33 | - (bal) fixed NeXTStep missing munmap() issue. It defines HAVE_MMAP, |
| 34 | but it all damned lies. | 34 | but it all damned lies. |
| 35 | - (stevesk) [README.privsep] more for sshd pseudo-account. | ||
| 35 | 36 | ||
| 36 | 20020625 | 37 | 20020625 |
| 37 | - (stevesk) [INSTALL acconfig.h configure.ac defines.h] remove --with-rsh | 38 | - (stevesk) [INSTALL acconfig.h configure.ac defines.h] remove --with-rsh |
| @@ -1131,4 +1132,4 @@ | |||
| 1131 | - (stevesk) entropy.c: typo in debug message | 1132 | - (stevesk) entropy.c: typo in debug message |
| 1132 | - (djm) ssh-keygen -i needs seeded RNG; report from markus@ | 1133 | - (djm) ssh-keygen -i needs seeded RNG; report from markus@ |
| 1133 | 1134 | ||
| 1134 | $Id: ChangeLog,v 1.2286 2002/06/26 00:29:02 mouring Exp $ | 1135 | $Id: ChangeLog,v 1.2287 2002/06/26 00:43:57 stevesk Exp $ |
diff --git a/README.privsep b/README.privsep index dd8069a77..ced943f26 100644 --- a/README.privsep +++ b/README.privsep | |||
| @@ -14,14 +14,18 @@ function. | |||
| 14 | 14 | ||
| 15 | When privsep is enabled, during the pre-authentication phase sshd will | 15 | When privsep is enabled, during the pre-authentication phase sshd will |
| 16 | chroot(2) to "/var/empty" and change its privileges to the "sshd" user | 16 | chroot(2) to "/var/empty" and change its privileges to the "sshd" user |
| 17 | and its primary group. You should do something like the following to | 17 | and its primary group. sshd is a pseudo-account that should not be |
| 18 | prepare the privsep preauth environment: | 18 | used by other daemons, and must be locked and should contain a |
| 19 | "nologin" or invalid shell. | ||
| 20 | |||
| 21 | You should do something like the following to prepare the privsep | ||
| 22 | preauth environment: | ||
| 19 | 23 | ||
| 20 | # mkdir /var/empty | 24 | # mkdir /var/empty |
| 21 | # chown root:sys /var/empty | 25 | # chown root:sys /var/empty |
| 22 | # chmod 755 /var/empty | 26 | # chmod 755 /var/empty |
| 23 | # groupadd sshd | 27 | # groupadd sshd |
| 24 | # useradd -g sshd -c 'sshd privsep' -d /var/empty sshd | 28 | # useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd |
| 25 | 29 | ||
| 26 | /var/empty should not contain any files. | 30 | /var/empty should not contain any files. |
| 27 | 31 | ||
| @@ -54,4 +58,4 @@ process 1005 is the sshd process listening for new connections. | |||
| 54 | process 6917 is the privileged monitor process, 6919 is the user owned | 58 | process 6917 is the privileged monitor process, 6919 is the user owned |
| 55 | sshd process and 6921 is the shell process. | 59 | sshd process and 6921 is the shell process. |
| 56 | 60 | ||
| 57 | $Id: README.privsep,v 1.9 2002/06/26 00:25:48 tim Exp $ | 61 | $Id: README.privsep,v 1.10 2002/06/26 00:43:57 stevesk Exp $ |