From owner-freebsd-stable  Sun Feb  9  4:50: 2 2003
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 40D2237B401
	for <freebsd-stable@freebsd.org>; Sun,  9 Feb 2003 04:50:01 -0800 (PST)
Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31])
	by mx1.FreeBSD.org (Postfix) with ESMTP id AA81143F93
	for <freebsd-stable@freebsd.org>; Sun,  9 Feb 2003 04:50:00 -0800 (PST)
	(envelope-from des@ofug.org)
Received: by flood.ping.uio.no (Postfix, from userid 2602)
	id C2F425372; Sun,  9 Feb 2003 13:49:58 +0100 (CET)
X-URL: http://www.ofug.org/~des/
X-Disclaimer: The views expressed in this message do not necessarily
  coincide with those of any organisation or company with
  which I am or have been affiliated.
To: "Karl M. Joch" <k.joch@kmjeuro.com>
Cc: freebsd-stable@freebsd.org
Subject: Re: sshd_config man page typo
From: Dag-Erling Smorgrav <des@ofug.org>
Date: Sun, 09 Feb 2003 13:49:58 +0100
In-Reply-To: <3E460D09.20908@kmjeuro.com> ("Karl M. Joch"'s message of "Sun,
 09 Feb 2003 09:10:49 +0100")
Message-ID: <xzpvfzt62kp.fsf@flood.ping.uio.no>
User-Agent: Gnus/5.090014 (Oort Gnus v0.14) Emacs/21.2 (i386--freebsd)
References: <3E460D09.20908@kmjeuro.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

"Karl M. Joch" <k.joch@kmjeuro.com> writes:
> after updating a server far away i had to recognize that
> UsePrivilegeSeparation is on by default. Updating without creating the
> user sshd results in refusing access becaus there is no user found for
> Privilege Separation.

You did not follow the documented upgrade procedure (which includes
running 'mergemaster -p' before installworld).

> The man page says the default is NO but it is YES.

Bzzzt.  The man page clearly says it is on by default:

     UsePrivilegeSeparation
             Specifies whether sshd separates privileges by creating an
             unprivileged child process to deal with incoming network traffic.
             After successful authentication, another process will be created
             that has the privilege of the authenticated user.  The goal of
             privilege separation is to prevent privilege escalation by con-
             taining any corruption within the unprivileged processes.  The
             default is ``yes''.

DES
-- 
Dag-Erling Smorgrav - des@ofug.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message