Re: How to verify Privilege Separation is working?

From: Philip Le Riche (
Date: 10/22/04

  • Next message: Covington, Jimmy D. (NGIT): "SSH and mounted home directories"
    Date: Fri, 22 Oct 2004 10:08:26 +0100


    Just a few servers out of several dozen had neither the sshd user nor
    /var/empty set up. I fixed that (sshd with login and remote login
    disabled, /var/empty 755 root system) and rebooted. Launching a login
    attempt having blanked the auto-login user name in putty still shows the
    new process running as root. (Correctly set up systems show it nicely
    running as sshd.) What more can I do to make sshd notice the corrected
    config than a reboot? Do the sshd user and /var/empty need to exist
    before installation? (I'm running AIX, by the way.)

    - Philip

    David Walker wrote:

    >ssh into your server to an account that requires a password or a non-existing
    >account that prompts for a password. Don't enter a password at this time but
    >run your ps command (from another shell of course). If privilege separation
    >is operational then you will see an sshd process running under the separation
    >account such as "sshd"
    >On Friday 24 September 2004 02:59 am, Philip Le Riche wrote:
    >>Hi -
    >>Is there a simple way to positively demonstrate that privilege
    >>separation is working? Running ps -fe shows all sshd processes running
    >>as root. If /var/empty doesn't exist, sshd still seems to work, but
    >>presumably without privilege separation. There may be other
    >>configuration errors which could have the same effect.
    >>(The reason I ask is that a vulnerability assessment has shown that I
    >>need to upgrade to OpenSSH 3.7.1 to avoid known vulnerabilities.
    >>However, rebuilding from source has run into problems with
    >>incompatible libraries since we're on an old version of AIX. No doubt
    >>these are fixable, given time my management may not allow me, but if I
    >>could positively demonstrate that privilege separation is working, I
    >>could argue that the risk is low and limited to DoS. Agreed?)
    >>- Philip

    This email has originated from Steria Limited, Registration No: 2706218.

    Privileged, confidential and/or copyright information may be contained in this email, and is only for the use of the intended addressee. To copy, forward, disclose or otherwise use it in any way if you are not the intended recipient or responsible for delivering to him/her is prohibited.

    If you receive this email by mistake, please advise the sender immediately, by using the reply facility in your email software.

    We may monitor the content of emails sent and received via our network for the purposes of ensuring compliance with policies and procedures.

    This message is subject to and does not create or vary any contractual relationships between Steria Limited and the recipient.

    Office registered at: Three Cherry Trees Lane, Hemel Hempstead, Hertfordshire, HP2 7AH

  • Next message: Covington, Jimmy D. (NGIT): "SSH and mounted home directories"