diff options
author | Darren Tucker <dtucker@dtucker.net> | 2019-09-19 15:41:23 +1000 |
---|---|---|
committer | Darren Tucker <dtucker@dtucker.net> | 2019-09-19 15:41:23 +1000 |
commit | 5a273a33ca1410351cb484af7db7c13e8b4e8e4e (patch) | |
tree | bf54186a04ea1f0a2ced7fc902f191c1d1a13ab6 | |
parent | 8aa2aa3cd4d27d14e74b247c773696349472ef20 (diff) |
Privsep is now required.
-rw-r--r-- | INSTALL | 8 | ||||
-rw-r--r-- | README.privsep | 11 |
2 files changed, 8 insertions, 11 deletions
@@ -24,6 +24,10 @@ If you must use a non-position-independent libcrypto, then you may need | |||
24 | to configure OpenSSH --without-pie. Note that due to a bug in EVP_CipherInit | 24 | to configure OpenSSH --without-pie. Note that due to a bug in EVP_CipherInit |
25 | OpenSSL 1.1 versions prior to 1.1.0g can't be used. | 25 | OpenSSL 1.1 versions prior to 1.1.0g can't be used. |
26 | 26 | ||
27 | To support Privilege Separation (which is now required) you will need | ||
28 | to create the user, group and directory used by sshd for privilege | ||
29 | separation. See README.privsep for details. | ||
30 | |||
27 | The remaining items are optional. | 31 | The remaining items are optional. |
28 | 32 | ||
29 | NB. If you operating system supports /dev/random, you should configure | 33 | NB. If you operating system supports /dev/random, you should configure |
@@ -133,10 +137,6 @@ make install | |||
133 | This will install the binaries in /opt/{bin,lib,sbin}, but will place the | 137 | This will install the binaries in /opt/{bin,lib,sbin}, but will place the |
134 | configuration files in /etc/ssh. | 138 | configuration files in /etc/ssh. |
135 | 139 | ||
136 | If you are using Privilege Separation (which is enabled by default) | ||
137 | then you will also need to create the user, group and directory used by | ||
138 | sshd for privilege separation. See README.privsep for details. | ||
139 | |||
140 | If you are using PAM, you may need to manually install a PAM control | 140 | If you are using PAM, you may need to manually install a PAM control |
141 | file as "/etc/pam.d/sshd" (or wherever your system prefers to keep | 141 | file as "/etc/pam.d/sshd" (or wherever your system prefers to keep |
142 | them). Note that the service name used to start PAM is __progname, | 142 | them). Note that the service name used to start PAM is __progname, |
diff --git a/README.privsep b/README.privsep index 460e90565..d658c46db 100644 --- a/README.privsep +++ b/README.privsep | |||
@@ -5,13 +5,10 @@ escalation by containing corruption to an unprivileged process. | |||
5 | More information is available at: | 5 | More information is available at: |
6 | http://www.citi.umich.edu/u/provos/ssh/privsep.html | 6 | http://www.citi.umich.edu/u/provos/ssh/privsep.html |
7 | 7 | ||
8 | Privilege separation is now enabled by default; see the | 8 | Privilege separation is now mandatory. During the pre-authentication |
9 | UsePrivilegeSeparation option in sshd_config(5). | 9 | phase sshd will chroot(2) to "/var/empty" and change its privileges to the |
10 | 10 | "sshd" user and its primary group. sshd is a pseudo-account that should | |
11 | When privsep is enabled, during the pre-authentication phase sshd will | 11 | not be used by other daemons, and must be locked and should contain a |
12 | chroot(2) to "/var/empty" and change its privileges to the "sshd" user | ||
13 | and its primary group. sshd is a pseudo-account that should not be | ||
14 | used by other daemons, and must be locked and should contain a | ||
15 | "nologin" or invalid shell. | 12 | "nologin" or invalid shell. |
16 | 13 | ||
17 | You should do something like the following to prepare the privsep | 14 | You should do something like the following to prepare the privsep |