From owner-freebsd-security  Tue Jun 25  1: 1:29 2002
Delivered-To: freebsd-security@freebsd.org
Received: from lucubration.notgod.com (node-216-136-154-51.networks.paypal.com [216.136.154.51])
	by hub.freebsd.org (Postfix) with SMTP id C00F937B43B
	for <freebsd-security@FreeBSD.ORG>; Tue, 25 Jun 2002 00:58:39 -0700 (PDT)
Received: (qmail 96509 invoked from network); 25 Jun 2002 07:58:58 -0000
Received: from unknown (HELO notgod.com) (64.168.159.218)
  by node-216-136-154-51.networks.paypal.com with SMTP; 25 Jun 2002 07:58:57 -0000
Message-ID: <3D182295.2070409@notgod.com>
Date: Tue, 25 Jun 2002 00:58:13 -0700
From: Brian Nelson <notgod@notgod.com>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0.0) Gecko/20020606
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Jan Lentfer <Jan.Lentfer@web.de>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: How to check if "UsePrivilegeSeparation" works in OpenSSH?
References: <1024987600.2078.10.camel@jan-linnb.lan>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Level: 
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Jan Lentfer wrote:
> Hi all,
> 
> i replaced the base OpenSSH with 3.3p from the ports typing:
> 
>  bash-2.05# make -DOPENSSH_OVERWRITE_BASE
>  bash-2.05# make -DOPENSSH_OVERWRITE_BASE install
> 
> I then added "sshd_program=/usr/local/sbin/sshd" to /etc/rc.conf and
> uncommented NO_OPENSSH=true and NO_OPENSSL=true in etc make.conf.

Since you're overwriting the base, this might break things for you.

> Finally I added "UsePrivilegeSeparation yes" to /etc/ssh/sshd_config and
> SIGHUPed sshd. sshd -V no reports version 3.3.

"hupping" the running daemon tells it to re-read the configuration (for 
most applications)...  you need to kill the listening process and 
re-start it...  the child processes shoudl remain, so you won't lose 
your connection (at least, this has been my experience in the past)...

to 'test' telnet to port 22 on the box and see what the header tells you 
the version is :)  sshd -V doesn't tell you the version of the running 
processes...  :)



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message