priviledge seperation not working like before

From: list1@0ff.org
Date: 02/13/03

Next message: Alf Nicolaysen: "OPENSSH 3.4p1-3 on AIX 4.3.3"

Previous message: openssh: "Keyfile passwd Limit for certain users"
Next in thread: Ben Lindstrom: "Re: priviledge seperation not working like before"
Reply: Ben Lindstrom: "Re: priviledge seperation not working like before"
Maybe reply: list1@0ff.org: "Re: priviledge seperation not working like before"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 13 Feb 2003 00:17:29 -0600
To: secureshell@securityfocus.com
From: "list1@0ff.org" <list1@0ff.org>

Hello--

I just realized that my previously installed sshd is NOT using privilege
separation..So..I went to reconfigure it, and make sure it was working
correctly.

Configure:

./configure --with-tcp-wrappers --with-md5-passwords --with-pam
--with-privsep-path=/var/empty --with-privsep-user=sshd

Yes, sshd exists, yes /var/empty exists, yes yes yes..

my current sshd_conf does reads:

PAMAuthenticationViaKbdInt no <-- per the README.privsep
and
UsePrivilegeSeparation yes <-- obvious

and here is the current ps aux | grep sshd:

root 24673 0.0 0.1 2644 1156 ? S Feb12 0:00 /usr/sbin/sshd
root 254 0.0 0.2 3412 1644 ? S Feb12 0:00 /usr/sbin/sshd
where 5321 0.0 0.2 3468 1876 ? S Feb12 0:00 /usr/sbin/sshd

(pids are randomized, btw)

I am at a loss, configure shows no errors, make works, etc.. One thing I
noticed that was most odd was that substituting a NON-existent user in
place of sshd in the above configuration did NOT produce an error

ssh version is OpenSSH_3.5p1
linux box running 2.4.19-grsecurity kernel that _has_ had this working before

any help appreciated, thanks in advance,

Cherie

Next message: Alf Nicolaysen: "OPENSSH 3.4p1-3 on AIX 4.3.3"
Previous message: openssh: "Keyfile passwd Limit for certain users"
Next in thread: Ben Lindstrom: "Re: priviledge seperation not working like before"
Reply: Ben Lindstrom: "Re: priviledge seperation not working like before"
Maybe reply: list1@0ff.org: "Re: priviledge seperation not working like before"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: SSH hackability?
... >> that has the privilege of the authenticated user. ... > same user running sshd. ... having a process that does authentication only, just as portknockd, ... You not only have to think about attacks on secrecy and integrity, ...
(alt.os.linux.suse)
When does Privilege Seperation work.
... Yesterday i've updated my server to openssh 3.3 after configuring my server ... running privilege seperation. ... Why do i need a sshd user and group? ...
(comp.security.ssh)
When does Privilege Seperation work.
... Yesterday i've updated my server to openssh 3.3 after configuring my server ... running privilege seperation. ... Why do i need a sshd user and group? ...
(comp.security.ssh)
Re: Workarounds for OpenSSH problems
... >>sign of an sshd process running as anything other than root though. ... >>Compression is enabled when I connect, but I'm not sure that the privilege ... make a practice of installing new ssh version with PREFIX specified, ...
(FreeBSD-Security)
Re: When does Privilege Seperation work.
... >running privilege seperation. ... I think that if after login the sshd demon process has an sshd child ... >no processes running with username sshd. ...
(comp.security.ssh)