Re: How to verify Privilege Separation is working?
From: David Walker (ssh_at_grax.com)
To: email@example.com Date: Sun, 26 Sep 2004 11:52:09 -0500
ssh into your server to an account that requires a password or a non-existing
account that prompts for a password. Don't enter a password at this time but
run your ps command (from another shell of course). If privilege separation
is operational then you will see an sshd process running under the separation
account such as "sshd"
On Friday 24 September 2004 02:59 am, Philip Le Riche wrote:
> Hi -
> Is there a simple way to positively demonstrate that privilege
> separation is working? Running ps -fe shows all sshd processes running
> as root. If /var/empty doesn't exist, sshd still seems to work, but
> presumably without privilege separation. There may be other
> configuration errors which could have the same effect.
> (The reason I ask is that a vulnerability assessment has shown that I
> need to upgrade to OpenSSH 3.7.1 to avoid known vulnerabilities.
> However, rebuilding from source has run into problems with
> incompatible libraries since we're on an old version of AIX. No doubt
> these are fixable, given time my management may not allow me, but if I
> could positively demonstrate that privilege separation is working, I
> could argue that the risk is low and limited to DoS. Agreed?)
> - Philip