Date: Wed, 26 Jun 2002 16:08:22 -0400 (EDT) From: John Mills <jmmills@telocity.com> To: Amit Chakradeo <freebsd@spam.chakradeo.net> Cc: questions@FreeBSD.ORG Subject: Re: Openssh sshd with Privilege Seperation to be installed suid ? Message-ID: <Pine.LNX.4.21.0206261553530.4165-100000@otter.mills-atl.com> In-Reply-To: <20020626114412.B19072@ac.wox.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Amit - On Wed, 26 Jun 2002, Amit Chakradeo wrote: > Is the sshd supposed to be installed setuid root for the privilege > seperation part to work correctly ? The openssh port does not install it > that way, and I see all the sshd processes owned by root. This changes to > desired behaviour as below after I turn suid root on: I just went through this with Linux and openssh-3.3, but possibly the experience is useful. In addition to enabling : 'UsePrivilegeSeparation yes' in my 'sshd_config' file. I then had to create a no-shell-login user called (in my setup) 'sshd'. (The user name is defined when the package is built, AFAIK. 'sshd' seems to be commonly used.) Without the user existing (and separation enabled), the daemon would not start for me. Since I built from sources, I tried a couple of names - 'nobody' also worked fine. I think what we need here is a 'dummy' user. Re: your question: Since 'sshd' (the daemon, not the user) is normally started at boot by 'init', it does not need to be (nor should it be) 'setuid root'. You must be 'su' to start it manually, however. One reason for my answer is in case I have misunderstood, so someone can correct me. I expect to install the new port on my 4.5 box this evening. - John Mills To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.21.0206261553530.4165-100000>