- provos@cvs.openbsd.org 2002/03/18 17:59:09

[sshd.8] document UsePrivilegeSeparation
author: Ben Lindstrom <mouring@eviladmin.org> 2002-03-22 02:37:50 +0000
committer: Ben Lindstrom <mouring@eviladmin.org> 2002-03-22 02:37:50 +0000
commit: 191c8e5eb92bd482ad7444a4287fea0bae57af25 (patch)
tree: 02ec25d09d12f1802e14f520a87165c693e3b12c
parent: 000dda537329dc06e00d28a5c0bd5234d69e1863 (diff)
2 files changed, 18 insertions, 3 deletions
diff --git a/ChangeLog b/ChangeLog
index 771eca953..df05e15ac 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -68,6 +68,9 @@
   - provos@cvs.openbsd.org 2002/03/18 17:53:08
     [sshd.8]
     credits for privsep
+   - provos@cvs.openbsd.org 2002/03/18 17:59:09
+     [sshd.8]
+     document UsePrivilegeSeparation
 20020317
 - (tim) [configure.ac] Assume path given with --with-pid-dir=PATH is wanted,
@@ -7914,4 +7917,4 @@
 - Wrote replacements for strlcpy and mkdtemp
 - Released 1.0pre1
-$Id: ChangeLog,v 1.1944 2002/03/22 02:33:12 mouring Exp $
+$Id: ChangeLog,v 1.1945 2002/03/22 02:37:50 mouring Exp $
diff --git a/sshd.8 b/sshd.8
index e71ba3cb2..3e94660d6 100644
--- a/sshd.8
+++ b/sshd.8
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.171 2002/03/18 17:53:08 provos Exp $
+.\" $OpenBSD: sshd.8,v 1.172 2002/03/18 17:59:09 provos Exp $
 .Dd September 25, 1999
 .Dt SSHD 8
 .Os
@@ -839,7 +839,19 @@ will be disabled because
 .Xr login 1
 does not know how to handle
 .Xr xauth 1
-cookies.
+cookies.  If
+.Cm UsePrivilegeSeparation
+is specified, it will be disabled after authentication.
+.It Cm UsePrivilegeSeparation
+Specifies whether
+.Nm
+separated privileges by creating an unprivileged child process
+to deal with incoming network traffic.  After successful authentication,
+another process will be created that has the privilege of the authenticated
+user.  The goal of privilege separation is to prevent privilege
+escalation by containing any corruption within the unprivileged processes.
+The default is
+.Dq no .
 .It Cm VerifyReverseMapping
 Specifies whether
 .Nm
author	Ben Lindstrom <mouring@eviladmin.org>	2002-03-22 02:37:50 +0000
committer	Ben Lindstrom <mouring@eviladmin.org>	2002-03-22 02:37:50 +0000
commit	191c8e5eb92bd482ad7444a4287fea0bae57af25 (patch)
tree	02ec25d09d12f1802e14f520a87165c693e3b12c
parent	000dda537329dc06e00d28a5c0bd5234d69e1863 (diff)

diff --git a/ChangeLog b/ChangeLog index 771eca953..df05e15ac 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -68,6 +68,9 @@
68	- provos@cvs.openbsd.org 2002/03/18 17:53:08	68	- provos@cvs.openbsd.org 2002/03/18 17:53:08
69	[sshd.8]	69	[sshd.8]
70	credits for privsep	70	credits for privsep
		71	- provos@cvs.openbsd.org 2002/03/18 17:59:09
		72	[sshd.8]
		73	document UsePrivilegeSeparation
71		74
72	20020317	75	20020317
73	- (tim) [configure.ac] Assume path given with --with-pid-dir=PATH is wanted,	76	- (tim) [configure.ac] Assume path given with --with-pid-dir=PATH is wanted,
@@ -7914,4 +7917,4 @@
7914	- Wrote replacements for strlcpy and mkdtemp	7917	- Wrote replacements for strlcpy and mkdtemp
7915	- Released 1.0pre1	7918	- Released 1.0pre1
7916		7919
7917	$Id: ChangeLog,v 1.1944 2002/03/22 02:33:12 mouring Exp $	7920	$Id: ChangeLog,v 1.1945 2002/03/22 02:37:50 mouring Exp $


diff --git a/sshd.8 b/sshd.8 index e71ba3cb2..3e94660d6 100644 --- a/sshd.8 +++ b/sshd.8
@@ -34,7 +34,7 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: sshd.8,v 1.171 2002/03/18 17:53:08 provos Exp $	37	.\" $OpenBSD: sshd.8,v 1.172 2002/03/18 17:59:09 provos Exp $
38	.Dd September 25, 1999	38	.Dd September 25, 1999
39	.Dt SSHD 8	39	.Dt SSHD 8
40	.Os	40	.Os
@@ -839,7 +839,19 @@ will be disabled because
839	.Xr login 1	839	.Xr login 1
840	does not know how to handle	840	does not know how to handle
841	.Xr xauth 1	841	.Xr xauth 1
842	cookies.	842	cookies. If
		843	.Cm UsePrivilegeSeparation
		844	is specified, it will be disabled after authentication.
		845	.It Cm UsePrivilegeSeparation
		846	Specifies whether
		847	.Nm
		848	separated privileges by creating an unprivileged child process
		849	to deal with incoming network traffic. After successful authentication,
		850	another process will be created that has the privilege of the authenticated
		851	user. The goal of privilege separation is to prevent privilege
		852	escalation by containing any corruption within the unprivileged processes.
		853	The default is
		854	.Dq no .
843	.It Cm VerifyReverseMapping	855	.It Cm VerifyReverseMapping
844	Specifies whether	856	Specifies whether
845	.Nm	857	.Nm