Re: How to verify Privilege Separation is working?

From: Philip Le Riche (
Date: 10/22/04

  • Next message: Covington, Jimmy D. (NGIT): "SSH and mounted home directories"
    Date: Fri, 22 Oct 2004 10:08:26 +0100


    Just a few servers out of several dozen had neither the sshd user nor
    /var/empty set up. I fixed that (sshd with login and remote login
    disabled, /var/empty 755 root system) and rebooted. Launching a login
    attempt having blanked the auto-login user name in putty still shows the
    new process running as root. (Correctly set up systems show it nicely
    running as sshd.) What more can I do to make sshd notice the corrected
    config than a reboot? Do the sshd user and /var/empty need to exist
    before installation? (I'm running AIX, by the way.)

    - Philip

    David Walker wrote:

    >ssh into your server to an account that requires a password or a non-existing
    >account that prompts for a password. Don't enter a password at this time but
    >run your ps command (from another shell of course). If privilege separation
    >is operational then you will see an sshd process running under the separation
    >account such as "sshd"
    >On Friday 24 September 2004 02:59 am, Philip Le Riche wrote:
    >>Hi -
    >>Is there a simple way to positively demonstrate that privilege
    >>separation is working? Running ps -fe shows all sshd processes running
    >>as root. If /var/empty doesn't exist, sshd still seems to work, but
    >>presumably without privilege separation. There may be other
    >>configuration errors which could have the same effect.
    >>(The reason I ask is that a vulnerability assessment has shown that I
    >>need to upgrade to OpenSSH 3.7.1 to avoid known vulnerabilities.
    >>However, rebuilding from source has run into problems with
    >>incompatible libraries since we're on an old version of AIX. No doubt
    >>these are fixable, given time my management may not allow me, but if I
    >>could positively demonstrate that privilege separation is working, I
    >>could argue that the risk is low and limited to DoS. Agreed?)
    >>- Philip

    This email has originated from Steria Limited, Registration No: 2706218.

    Privileged, confidential and/or copyright information may be contained in this email, and is only for the use of the intended addressee. To copy, forward, disclose or otherwise use it in any way if you are not the intended recipient or responsible for delivering to him/her is prohibited.

    If you receive this email by mistake, please advise the sender immediately, by using the reply facility in your email software.

    We may monitor the content of emails sent and received via our network for the purposes of ensuring compliance with policies and procedures.

    This message is subject to and does not create or vary any contractual relationships between Steria Limited and the recipient.

    Office registered at: Three Cherry Trees Lane, Hemel Hempstead, Hertfordshire, HP2 7AH

  • Next message: Covington, Jimmy D. (NGIT): "SSH and mounted home directories"

    Relevant Pages

    • Re: How to verify Privilege Separation is working?
      ... Just a few servers out of several dozen had neither the sshd user nor ... I fixed that (sshd with login and remote login ... >>presumably without privilege separation. ...
    • Re: sshd attacks
      ... but if you know the usernames you want you could use ... > from your sshd server before anyone can break your encryption. ... > taht finds open sshd services and tests common user names and password. ... You could also do something where you login with PK to an account whose ...
    • Re: strange and serious problem about user login
      ... > any service other than root. ... > and I try to login as normal user except root, ... > and when I start sshd in this pc, I get no errors, but when I check ...
    • Re: Hundreds of sshd processes spawned by Postgresql
      ... I have again killed postgresql and sshd processes. ... I am hoping for an answer before I restart ssh, but that will keep me from connecting via ssh from my laptop. ... If those are login read on. ...
    • Signal 1, Name stays on "who" list under Linux
      ... I'm not too sure if this is off topic, it might be a bug in sshd which is ... OpenSSH v3.4p1, SSH protocols 1.5/2.0 ... 1> connect to the linux box via SSH client and login as any user ... To get past step 2 you have to enter root password, ...