summaryrefslogtreecommitdiff
path: root/README.privsep
diff options
context:
space:
mode:
authorKevin Steves <stevesk@pobox.com>2002-06-26 00:43:57 +0000
committerKevin Steves <stevesk@pobox.com>2002-06-26 00:43:57 +0000
commit40b011c7fe2aede4e43be7049f074ab7c2347b2c (patch)
treeaa787bba8cf2d62f9164324e05c0aab1a3266f7c /README.privsep
parent4e3c631b709d178c7df1634f401f087dcd604071 (diff)
- (stevesk) [README.privsep] more for sshd pseudo-account.
Diffstat (limited to 'README.privsep')
-rw-r--r--README.privsep12
1 files changed, 8 insertions, 4 deletions
diff --git a/README.privsep b/README.privsep
index dd8069a77..ced943f26 100644
--- a/README.privsep
+++ b/README.privsep
@@ -14,14 +14,18 @@ function.
14 14
15When privsep is enabled, during the pre-authentication phase sshd will 15When privsep is enabled, during the pre-authentication phase sshd will
16chroot(2) to "/var/empty" and change its privileges to the "sshd" user 16chroot(2) to "/var/empty" and change its privileges to the "sshd" user
17and its primary group. You should do something like the following to 17and its primary group. sshd is a pseudo-account that should not be
18prepare the privsep preauth environment: 18used by other daemons, and must be locked and should contain a
19"nologin" or invalid shell.
20
21You should do something like the following to prepare the privsep
22preauth environment:
19 23
20 # mkdir /var/empty 24 # mkdir /var/empty
21 # chown root:sys /var/empty 25 # chown root:sys /var/empty
22 # chmod 755 /var/empty 26 # chmod 755 /var/empty
23 # groupadd sshd 27 # groupadd sshd
24 # useradd -g sshd -c 'sshd privsep' -d /var/empty sshd 28 # useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd
25 29
26/var/empty should not contain any files. 30/var/empty should not contain any files.
27 31
@@ -54,4 +58,4 @@ process 1005 is the sshd process listening for new connections.
54process 6917 is the privileged monitor process, 6919 is the user owned 58process 6917 is the privileged monitor process, 6919 is the user owned
55sshd process and 6921 is the shell process. 59sshd process and 6921 is the shell process.
56 60
57$Id: README.privsep,v 1.9 2002/06/26 00:25:48 tim Exp $ 61$Id: README.privsep,v 1.10 2002/06/26 00:43:57 stevesk Exp $