summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKevin Steves <stevesk@pobox.com>2002-06-26 00:43:57 +0000
committerKevin Steves <stevesk@pobox.com>2002-06-26 00:43:57 +0000
commit40b011c7fe2aede4e43be7049f074ab7c2347b2c (patch)
treeaa787bba8cf2d62f9164324e05c0aab1a3266f7c
parent4e3c631b709d178c7df1634f401f087dcd604071 (diff)
- (stevesk) [README.privsep] more for sshd pseudo-account.
-rw-r--r--ChangeLog3
-rw-r--r--README.privsep12
2 files changed, 10 insertions, 5 deletions
diff --git a/ChangeLog b/ChangeLog
index 2b7bfd0d0..b28bb4b07 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -32,6 +32,7 @@
32 - (tim) [README.privsep] UnixWare tip no longer needed. 32 - (tim) [README.privsep] UnixWare tip no longer needed.
33 - (bal) fixed NeXTStep missing munmap() issue. It defines HAVE_MMAP, 33 - (bal) fixed NeXTStep missing munmap() issue. It defines HAVE_MMAP,
34 but it all damned lies. 34 but it all damned lies.
35 - (stevesk) [README.privsep] more for sshd pseudo-account.
35 36
3620020625 3720020625
37 - (stevesk) [INSTALL acconfig.h configure.ac defines.h] remove --with-rsh 38 - (stevesk) [INSTALL acconfig.h configure.ac defines.h] remove --with-rsh
@@ -1131,4 +1132,4 @@
1131 - (stevesk) entropy.c: typo in debug message 1132 - (stevesk) entropy.c: typo in debug message
1132 - (djm) ssh-keygen -i needs seeded RNG; report from markus@ 1133 - (djm) ssh-keygen -i needs seeded RNG; report from markus@
1133 1134
1134$Id: ChangeLog,v 1.2286 2002/06/26 00:29:02 mouring Exp $ 1135$Id: ChangeLog,v 1.2287 2002/06/26 00:43:57 stevesk Exp $
diff --git a/README.privsep b/README.privsep
index dd8069a77..ced943f26 100644
--- a/README.privsep
+++ b/README.privsep
@@ -14,14 +14,18 @@ function.
14 14
15When privsep is enabled, during the pre-authentication phase sshd will 15When privsep is enabled, during the pre-authentication phase sshd will
16chroot(2) to "/var/empty" and change its privileges to the "sshd" user 16chroot(2) to "/var/empty" and change its privileges to the "sshd" user
17and its primary group. You should do something like the following to 17and its primary group. sshd is a pseudo-account that should not be
18prepare the privsep preauth environment: 18used by other daemons, and must be locked and should contain a
19"nologin" or invalid shell.
20
21You should do something like the following to prepare the privsep
22preauth environment:
19 23
20 # mkdir /var/empty 24 # mkdir /var/empty
21 # chown root:sys /var/empty 25 # chown root:sys /var/empty
22 # chmod 755 /var/empty 26 # chmod 755 /var/empty
23 # groupadd sshd 27 # groupadd sshd
24 # useradd -g sshd -c 'sshd privsep' -d /var/empty sshd 28 # useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd
25 29
26/var/empty should not contain any files. 30/var/empty should not contain any files.
27 31
@@ -54,4 +58,4 @@ process 1005 is the sshd process listening for new connections.
54process 6917 is the privileged monitor process, 6919 is the user owned 58process 6917 is the privileged monitor process, 6919 is the user owned
55sshd process and 6921 is the shell process. 59sshd process and 6921 is the shell process.
56 60
57$Id: README.privsep,v 1.9 2002/06/26 00:25:48 tim Exp $ 61$Id: README.privsep,v 1.10 2002/06/26 00:43:57 stevesk Exp $