19261079b7
Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985
52 lines
2.2 KiB
Plaintext
52 lines
2.2 KiB
Plaintext
Privilege separation, or privsep, is method in OpenSSH by which
|
|
operations that require root privilege are performed by a separate
|
|
privileged monitor process. Its purpose is to prevent privilege
|
|
escalation by containing corruption to an unprivileged process.
|
|
More information is available at:
|
|
http://www.citi.umich.edu/u/provos/ssh/privsep.html
|
|
|
|
Privilege separation is now mandatory. During the pre-authentication
|
|
phase sshd will chroot(2) to "/var/empty" and change its privileges to the
|
|
"sshd" user and its primary group. sshd is a pseudo-account that should
|
|
not be used by other daemons, and must be locked and should contain a
|
|
"nologin" or invalid shell.
|
|
|
|
You should do something like the following to prepare the privsep
|
|
preauth environment:
|
|
|
|
# mkdir /var/empty
|
|
# chown root:sys /var/empty
|
|
# chmod 755 /var/empty
|
|
# groupadd sshd
|
|
# useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd
|
|
|
|
/var/empty should not contain any files.
|
|
|
|
configure supports the following options to change the default
|
|
privsep user and chroot directory:
|
|
|
|
--with-privsep-path=xxx Path for privilege separation chroot
|
|
--with-privsep-user=user Specify non-privileged user for privilege separation
|
|
|
|
PAM-enabled OpenSSH is known to function with privsep on AIX, FreeBSD,
|
|
HP-UX (including Trusted Mode), Linux, NetBSD and Solaris.
|
|
|
|
On Cygwin, Tru64 Unix and OpenServer only the pre-authentication part
|
|
of privsep is supported. Post-authentication privsep is disabled
|
|
automatically (so you won't see the additional process mentioned below).
|
|
|
|
Note that for a normal interactive login with a shell, enabling privsep
|
|
will require 1 additional process per login session.
|
|
|
|
Given the following process listing (from HP-UX):
|
|
|
|
UID PID PPID C STIME TTY TIME COMMAND
|
|
root 1005 1 0 10:45:17 ? 0:08 /opt/openssh/sbin/sshd -u0
|
|
root 6917 1005 0 15:19:16 ? 0:00 sshd: stevesk [priv]
|
|
stevesk 6919 6917 0 15:19:17 ? 0:03 sshd: stevesk@2
|
|
stevesk 6921 6919 0 15:19:17 pts/2 0:00 -bash
|
|
|
|
process 1005 is the sshd process listening for new connections.
|
|
process 6917 is the privileged monitor process, 6919 is the user owned
|
|
sshd process and 6921 is the shell process.
|