Re: OpenSSH, privilage separation

From: Kasper Dupont (kasperd@daimi.au.dk)
Date: 06/23/02


From: Kasper Dupont <kasperd@daimi.au.dk>
Date: Sun, 23 Jun 2002 00:31:08 +0200

Jem Berkes wrote:
>
> Apparently the new OpenSSH 3.3 (released yesterday) has privilage
> separation enabled by default, as described here:
> http://www.citi.umich.edu/u/provos/ssh/privsep.html

Looks nice. (At least the figure looks nice, I did not look on
the implementation.) BTW does this mean that the second sshd
child process will now be runing with ID of the user that log
in? (So the user could actually do something like:
"strace -p $(ps -o ppid= -p $$)"?)

>
> To work, there needs to be a (1) user sshd,

Sounds reasonable.

> and (2) /var/empty, where sshd will be chrooted.

Paranoia! But of course when we are talking about sshd being
paranoid is good. But why not use /var/empty/sshd in case
there will be more similar chrooted daemons in the future.

>
> I never really learned the format of /etc/passwd properly, so I just added
> this line.

Why not use useradd?

> Is this the correct way to create a dummy user?
>
> sshd:*:54333:54333:sshd:/no/where:/no/shell

The format is correct. But if you are just going to put the
username in the comment field, you could as well keep it
empty. Writing "OpenSSH privilege separation" would say a
lot more.

Your choice of home and shell is unusual. I just verified
what nobody used on different systems, the home was set to
either / or /dev/null, and the shell was set to either
/sbin/nologin or /dev/null.

-- 
Kasper Dupont -- der bruger for meget tid på usenet.
For sending spam use mailto:razor-report@daimi.au.dk



Relevant Pages

  • Re: OpenSSH, privilage separation
    ... > Apparently the new OpenSSH 3.3 has privilage ... BTW does this mean that the second sshd ... Your choice of home and shell is unusual. ...
    (comp.os.linux.security)
  • last output
    ... Before patching all worked fine. ... security sshd sftp-server integer overlow pam keyboard interactive ... it was related to openssh sshd ... ...
    (SunManagers)
  • RE: OpenSSH b0rked (was RE: Problems with IPFW patch)
    ... fix was the config file. ... No reboots or restarting sshd necessary. ... > Subject: RE: OpenSSH b0rked ... >> annoying install sequence - you can't define where it gets ...
    (FreeBSD-Security)
  • Re: Attacks against SSH?
    ... > CRC32-attack. ... i've seen quite a few attempts against sshd in the last few days, ... rumours of a "new OpenSSH exploit" started wandering around. ... the CRC bug in unpatched/vulnerable versions of ssh. ...
    (Incidents)
  • OpenSSH 3.1 released
    ... OpenSSH 3.1 has just been released. ... implementation and includes sftp client and server support. ... sshd x11 forwarding listens on localhost by default; ... see sshd X11UseLocalhost option to revert to prior behaviour ...
    (comp.security.ssh)