Re: How to verify Privilege Separation is working?

From: Jerry (juanino_at_yahoo.com)
Date: 10/25/04

  • Next message: Mauricio Araya V.: "Re: port forwarding and oracle" 
    Date: Mon, 25 Oct 2004 08:45:08 -0700 (PDT)
To: Philip Le Riche <philip.leriche@virgin.net>, secureshell@securityfocus.com

    You can try to startup sshd manually on the command
    line in debug mode on another port. i.e. /path/to/sshd
    -D -p 9999 or whatever port you like. Once you
    connect to this daemon and disconnect it will die.
    Restart it to continue testing. Optionally, pass it
    the config file, or the specific config option. This
    will help you diagnose if you are even reading the
    config file you think you are.

    Jerry
    QX19

    --- Philip Le Riche <philip.leriche@virgin.net> wrote:

    > Thanks!
    >
    > Just a few servers out of several dozen had neither
    > the sshd user nor
    > /var/empty set up. I fixed that (sshd with login and
    > remote login
    > disabled, /var/empty 755 root system) and rebooted.
    > Launching a login
    > attempt having blanked the auto-login user name in
    > putty still shows the
    > new process running as root. (Correctly set up
    > systems show it nicely
    > running as sshd.) What more can I do to make sshd
    > notice the corrected
    > config than a reboot? Do the sshd user and
    > /var/empty need to exist
    > before installation? (I'm running AIX, by the way.)
    >
    > - Philip
    >
    > David Walker wrote:
    >
    > >ssh into your server to an account that requires a
    > password or a non-existing
    > >account that prompts for a password. Don't enter a
    > password at this time but
    > >run your ps command (from another shell of course).
    > If privilege separation
    > >is operational then you will see an sshd process
    > running under the separation
    > >account such as "sshd"
    > >
    > >On Friday 24 September 2004 02:59 am, Philip Le
    > Riche wrote:
    > >
    > >
    > >>Hi -
    > >>
    > >>Is there a simple way to positively demonstrate
    > that privilege
    > >>separation is working? Running ps -fe shows all
    > sshd processes running
    > >>as root. If /var/empty doesn't exist, sshd still
    > seems to work, but
    > >>presumably without privilege separation. There may
    > be other
    > >>configuration errors which could have the same
    > effect.
    > >>
    > >>(The reason I ask is that a vulnerability
    > assessment has shown that I
    > >>need to upgrade to OpenSSH 3.7.1 to avoid known
    > vulnerabilities.
    > >>However, rebuilding from source has run into
    > problems with
    > >>incompatible libraries since we're on an old
    > version of AIX. No doubt
    > >>these are fixable, given time my management may
    > not allow me, but if I
    > >>could positively demonstrate that privilege
    > separation is working, I
    > >>could argue that the risk is low and limited to
    > DoS. Agreed?)
    > >>
    > >>- Philip
    > >>
    > >>
    > >
    > >
    > >
    >
    >
    >
    >
    >
    *******************************************************
    > This email has originated from Steria Limited,
    > Registration No: 2706218.
    >
    > Privileged, confidential and/or copyright
    > information may be contained in this email, and is
    > only for the use of the intended addressee. To copy,
    > forward, disclose or otherwise use it in any way if
    > you are not the intended recipient or responsible
    > for delivering to him/her is prohibited.
    >
    > If you receive this email by mistake, please advise
    > the sender immediately, by using the reply facility
    > in your email software.
    >
    > We may monitor the content of emails sent and
    > received via our network for the purposes of
    > ensuring compliance with policies and procedures.
    >
    > This message is subject to and does not create or
    > vary any contractual relationships between Steria
    > Limited and the recipient.
    >
    > Office registered at: Three Cherry Trees Lane, Hemel
    > Hempstead, Hertfordshire, HP2 7AH
    > www.steria.co.uk
    >
    ******************************************************

    __________________________________________________
    Do You Yahoo!?
    Tired of spam? Yahoo! Mail has the best spam protection around
    http://mail.yahoo.com

  • Next message: Mauricio Araya V.: "Re: port forwarding and oracle"

    Relevant Pages

    • RE: SSH with OpenSSH and Putty - Please Help!
      ... It looks like your config file doesn't state exactly which file needs to be ... you may need to truss sshd or run sshd in debug foreground mode ... Then test and see if your key-based authentication works. ... Event Log: No supported authentications offered. ...
      (SSH)
    • SSH newbie questions
      ... Trying to get set up with SSH and SFTP, ... Helper says that to get running, I enable Remote Login in System prefs -> ... and gets stored back in the config file. ... as root, then an sshd process starts, and the .pid file is created. ...
      (comp.sys.mac.system)
    • Re: SSH newbie questions
      ... Note I don't know anything about SSH Helper. ... and gets stored back in the config file. ... as root, then an sshd process starts, and the .pid file is created. ... The process responsible for this used to be xinetd, but is launchd in ...
      (comp.sys.mac.system)
    • Re: OpenSSH and pam_radius_auth.so
      ... Per Hedeland wrote: ... sshd shouldn't offer keyboard-interactive at all. ... I was editing the wrong config file. ... OpenSSH 3.9p1 that ships with EL 4. ...
      (comp.security.ssh)
    • Re: Authentication failed suddenly
      ... sshd is not the one that came with the new OpenSSH installation. ... make a different config file with a different port and save your old PID ... > make install ...
      (comp.security.ssh)