Re: priviledge seperation not working like before

From: list1@0ff.org
Date: 02/13/03

  • Next message: James Dennis: "Re: priviledge seperation not working like before"
    Date: Thu, 13 Feb 2003 15:16:53 -0600
    To: secureshell@securityfocus.com
    From: "list1@0ff.org" <list1@0ff.org>
    
    

    In English that means what? I did an lsof on all the pids ..saw nothing
    pointing to /var/empty...its working? It would be especially helpful to
    have a way to confirm it. And what's the deal with the ./configure not
    failing if you specify a non existent user as the privsep-user? Ideas?

    thanks again,

    Cherie

    At 02:31 PM 2/13/2003 -0600, you wrote:

    >On Thu, 13 Feb 2003, list1@0ff.org wrote:
    >
    > > Hello--
    > >
    > > I just realized that my previously installed sshd is NOT using privilege
    > > separation..So..I went to reconfigure it, and make sure it was working
    > > correctly.
    > >
    > > Configure:
    > >
    > > ./configure --with-tcp-wrappers --with-md5-passwords --with-pam
    > > --with-privsep-path=/var/empty --with-privsep-user=sshd
    > >
    > > Yes, sshd exists, yes /var/empty exists, yes yes yes..
    > >
    > > my current sshd_conf does reads:
    > >
    > > PAMAuthenticationViaKbdInt no <-- per the README.privsep
    > > and
    > > UsePrivilegeSeparation yes <-- obvious
    > >
    > > and here is the current ps aux | grep sshd:
    > >
    > > root 24673 0.0 0.1 2644 1156 ? S Feb12 0:00
    > /usr/sbin/sshd
    > > root 254 0.0 0.2 3412 1644 ? S Feb12 0:00
    > /usr/sbin/sshd
    > > where 5321 0.0 0.2 3468 1876 ? S Feb12 0:00
    > /usr/sbin/sshd
    > >
    > > (pids are randomized, btw)
    > >
    >
    >I suspect that one is the parent sshd that listens for new request then
    >you have the 'Prived' and 'Unprived' children (which I assume is pid 254
    >and 5321). So for one connection you have 3 sshd runninng.. for two you
    >have 5, etc..
    >
    > > I am at a loss, configure shows no errors, make works, etc.. One thing I
    > > noticed that was most odd was that substituting a NON-existent user in
    > > place of sshd in the above configuration did NOT produce an error
    > >
    > > ssh version is OpenSSH_3.5p1
    > > linux box running 2.4.19-grsecurity kernel that _has_ had this working
    > before
    > >
    >
    >The issue is that setproctitle() is not implemented for Linux.
    >
    >Off of OpenBSD you get:
    >
    >10071 ?? Is 0:06.41 /usr/sbin/sshd
    >30830 ?? Is 0:00.06 sshd: mouring [priv] (sshd)
    >31043 ?? I 1:12.01 sshd: mouring@ttyp0 (sshd)
    >
    >
    >the [priv] is running as root and the other is runnig as mouring. As a
    >result the few things that require root privs are passed up the [priv]
    >process to be handled.
    >
    >
    >- Ben



    Relevant Pages

    • Re: Strange apache logs
      ... Regarding apache configuration, nothing is changed there, just installed "as-is" from ports, only included one httpd-vhosts file with number of VirtualHost directives. ... editor [priv] (sshd) ...
      (freebsd-questions)
    • Re: HELP - WARNING: Privilege separation user "root" does not exist"
      ... >>> to specify the root user, however I got the same error message. ... >>> I tried creating an sshd user and not using the switch but got the ... what you have probably done is enabled compression and priv sep, ...
      (comp.security.ssh)
    • Re: RELENG_4 on flash disk and swap
      ... It's the result of 2 incoming OpenSSH sessions: ... I could have sworn that sshd ran as the sshd user with the new privsep settings but it appears that I'm mistaken. ... Looks as an ideal model for DoSers;) I still prefer good old SSH.COM's sshd: single and slimer process per connection: ...
      (freebsd-stable)
    • sshd: username [priv]
      ... Could someone plz tell me when and why ... "sshd: username [priv]" is displayed. ...
      (RedHat)