diff options
Diffstat (limited to 'README.privsep')
| -rw-r--r-- | README.privsep | 11 |
1 files changed, 4 insertions, 7 deletions
diff --git a/README.privsep b/README.privsep index 460e90565..d658c46db 100644 --- a/README.privsep +++ b/README.privsep | |||
| @@ -5,13 +5,10 @@ escalation by containing corruption to an unprivileged process. | |||
| 5 | More information is available at: | 5 | More information is available at: |
| 6 | http://www.citi.umich.edu/u/provos/ssh/privsep.html | 6 | http://www.citi.umich.edu/u/provos/ssh/privsep.html |
| 7 | 7 | ||
| 8 | Privilege separation is now enabled by default; see the | 8 | Privilege separation is now mandatory. During the pre-authentication |
| 9 | UsePrivilegeSeparation option in sshd_config(5). | 9 | phase sshd will chroot(2) to "/var/empty" and change its privileges to the |
| 10 | 10 | "sshd" user and its primary group. sshd is a pseudo-account that should | |
| 11 | When privsep is enabled, during the pre-authentication phase sshd will | 11 | not be used by other daemons, and must be locked and should contain a |
| 12 | chroot(2) to "/var/empty" and change its privileges to the "sshd" user | ||
| 13 | and its primary group. sshd is a pseudo-account that should not be | ||
| 14 | used by other daemons, and must be locked and should contain a | ||
| 15 | "nologin" or invalid shell. | 12 | "nologin" or invalid shell. |
| 16 | 13 | ||
| 17 | You should do something like the following to prepare the privsep | 14 | You should do something like the following to prepare the privsep |