summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDarren Tucker <dtucker@dtucker.net>2019-09-19 15:41:23 +1000
committerDarren Tucker <dtucker@dtucker.net>2019-09-19 15:41:23 +1000
commit5a273a33ca1410351cb484af7db7c13e8b4e8e4e (patch)
treebf54186a04ea1f0a2ced7fc902f191c1d1a13ab6
parent8aa2aa3cd4d27d14e74b247c773696349472ef20 (diff)
Privsep is now required.
-rw-r--r--INSTALL8
-rw-r--r--README.privsep11
2 files changed, 8 insertions, 11 deletions
diff --git a/INSTALL b/INSTALL
index d0fa00e6c..814768791 100644
--- a/INSTALL
+++ b/INSTALL
@@ -24,6 +24,10 @@ If you must use a non-position-independent libcrypto, then you may need
24to configure OpenSSH --without-pie. Note that due to a bug in EVP_CipherInit 24to configure OpenSSH --without-pie. Note that due to a bug in EVP_CipherInit
25OpenSSL 1.1 versions prior to 1.1.0g can't be used. 25OpenSSL 1.1 versions prior to 1.1.0g can't be used.
26 26
27To support Privilege Separation (which is now required) you will need
28to create the user, group and directory used by sshd for privilege
29separation. See README.privsep for details.
30
27The remaining items are optional. 31The remaining items are optional.
28 32
29NB. If you operating system supports /dev/random, you should configure 33NB. If you operating system supports /dev/random, you should configure
@@ -133,10 +137,6 @@ make install
133This will install the binaries in /opt/{bin,lib,sbin}, but will place the 137This will install the binaries in /opt/{bin,lib,sbin}, but will place the
134configuration files in /etc/ssh. 138configuration files in /etc/ssh.
135 139
136If you are using Privilege Separation (which is enabled by default)
137then you will also need to create the user, group and directory used by
138sshd for privilege separation. See README.privsep for details.
139
140If you are using PAM, you may need to manually install a PAM control 140If you are using PAM, you may need to manually install a PAM control
141file as "/etc/pam.d/sshd" (or wherever your system prefers to keep 141file as "/etc/pam.d/sshd" (or wherever your system prefers to keep
142them). Note that the service name used to start PAM is __progname, 142them). Note that the service name used to start PAM is __progname,
diff --git a/README.privsep b/README.privsep
index 460e90565..d658c46db 100644
--- a/README.privsep
+++ b/README.privsep
@@ -5,13 +5,10 @@ escalation by containing corruption to an unprivileged process.
5More information is available at: 5More information is available at:
6 http://www.citi.umich.edu/u/provos/ssh/privsep.html 6 http://www.citi.umich.edu/u/provos/ssh/privsep.html
7 7
8Privilege separation is now enabled by default; see the 8Privilege separation is now mandatory. During the pre-authentication
9UsePrivilegeSeparation option in sshd_config(5). 9phase sshd will chroot(2) to "/var/empty" and change its privileges to the
10 10"sshd" user and its primary group. sshd is a pseudo-account that should
11When privsep is enabled, during the pre-authentication phase sshd will 11not be used by other daemons, and must be locked and should contain a
12chroot(2) to "/var/empty" and change its privileges to the "sshd" user
13and its primary group. sshd is a pseudo-account that should not be
14used by other daemons, and must be locked and should contain a
15"nologin" or invalid shell. 12"nologin" or invalid shell.
16 13
17You should do something like the following to prepare the privsep 14You should do something like the following to prepare the privsep