xref: /freebsd/crypto/openssh/README.privsep (revision 7ef62cebc2f965b0f640263e179276928885e33d)
1Privilege separation, or privsep, is method in OpenSSH by which
2operations that require root privilege are performed by a separate
3privileged monitor process.  Its purpose is to prevent privilege
4escalation by containing corruption to an unprivileged process.
5More information is available at:
6	http://www.citi.umich.edu/u/provos/ssh/privsep.html
7
8Privilege separation is now mandatory.  During the pre-authentication
9phase sshd will chroot(2) to "/var/empty" and change its privileges to the
10"sshd" user and its primary group.  sshd is a pseudo-account that should
11not be used by other daemons, and must be locked and should contain a
12"nologin" or invalid shell.
13
14You should do something like the following to prepare the privsep
15preauth environment:
16
17	# mkdir /var/empty
18	# chown root:sys /var/empty
19	# chmod 755 /var/empty
20	# groupadd sshd
21	# useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd
22
23/var/empty should not contain any files.
24
25configure supports the following options to change the default
26privsep user and chroot directory:
27
28  --with-privsep-path=xxx Path for privilege separation chroot
29  --with-privsep-user=user Specify non-privileged user for privilege separation
30
31PAM-enabled OpenSSH is known to function with privsep on AIX, FreeBSD,
32HP-UX (including Trusted Mode), Linux, NetBSD and Solaris.
33
34On Cygwin, Tru64 Unix and OpenServer only the pre-authentication part
35of privsep is supported.  Post-authentication privsep is disabled
36automatically (so you won't see the additional process mentioned below).
37
38Note that for a normal interactive login with a shell, enabling privsep
39will require 1 additional process per login session.
40
41Given the following process listing (from HP-UX):
42
43     UID   PID  PPID  C    STIME TTY       TIME COMMAND
44    root  1005     1  0 10:45:17 ?         0:08 /opt/openssh/sbin/sshd -u0
45    root  6917  1005  0 15:19:16 ?         0:00 sshd: stevesk [priv]
46 stevesk  6919  6917  0 15:19:17 ?         0:03 sshd: stevesk@2
47 stevesk  6921  6919  0 15:19:17 pts/2     0:00 -bash
48
49process 1005 is the sshd process listening for new connections.
50process 6917 is the privileged monitor process, 6919 is the user owned
51sshd process and 6921 is the shell process.
52