198937SdesPrivilege separation, or privsep, is method in OpenSSH by which
298937Sdesoperations that require root privilege are performed by a separate
398937Sdesprivileged monitor process.  Its purpose is to prevent privilege
4126274Sdesescalation by containing corruption to an unprivileged process.
598937SdesMore information is available at:
698937Sdes	http://www.citi.umich.edu/u/provos/ssh/privsep.html
798937Sdes
898937SdesPrivilege separation is now enabled by default; see the
998937SdesUsePrivilegeSeparation option in sshd_config(5).
1098937Sdes
11126274SdesOn systems which lack mmap or anonymous (MAP_ANON) memory mapping,
12126274Sdescompression must be disabled in order for privilege separation to
1398937Sdesfunction.
1498937Sdes
1599060SdesWhen privsep is enabled, during the pre-authentication phase sshd will
1698937Sdeschroot(2) to "/var/empty" and change its privileges to the "sshd" user
1799060Sdesand its primary group.  sshd is a pseudo-account that should not be
1899060Sdesused by other daemons, and must be locked and should contain a
1999060Sdes"nologin" or invalid shell.
2098937Sdes
2199060SdesYou should do something like the following to prepare the privsep
2299060Sdespreauth environment:
2399060Sdes
2498937Sdes	# mkdir /var/empty
2598937Sdes	# chown root:sys /var/empty
2698937Sdes	# chmod 755 /var/empty
2798937Sdes	# groupadd sshd
2899060Sdes	# useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd
2998937Sdes
3098937Sdes/var/empty should not contain any files.
3198937Sdes
3298937Sdesconfigure supports the following options to change the default
3398937Sdesprivsep user and chroot directory:
3498937Sdes
3598937Sdes  --with-privsep-path=xxx Path for privilege separation chroot
3698937Sdes  --with-privsep-user=user Specify non-privileged user for privilege separation
3798937Sdes
3899060SdesPrivsep requires operating system support for file descriptor passing.
3999060SdesCompression will be disabled on systems without a working mmap MAP_ANON.
4098937Sdes
41149749SdesPAM-enabled OpenSSH is known to function with privsep on AIX, FreeBSD, 
42149749SdesHP-UX (including Trusted Mode), Linux, NetBSD and Solaris.
4398937Sdes
44137015SdesOn Cygwin, Tru64 Unix, OpenServer, and Unicos only the pre-authentication
45137015Sdespart of privsep is supported.  Post-authentication privsep is disabled
46137015Sdesautomatically (so you won't see the additional process mentioned below).
47113908Sdes
4898937SdesNote that for a normal interactive login with a shell, enabling privsep
4998937Sdeswill require 1 additional process per login session.
5098937Sdes
5198937SdesGiven the following process listing (from HP-UX):
5298937Sdes
5398937Sdes     UID   PID  PPID  C    STIME TTY       TIME COMMAND
5498937Sdes    root  1005     1  0 10:45:17 ?         0:08 /opt/openssh/sbin/sshd -u0
5598937Sdes    root  6917  1005  0 15:19:16 ?         0:00 sshd: stevesk [priv]
5698937Sdes stevesk  6919  6917  0 15:19:17 ?         0:03 sshd: stevesk@2
5798937Sdes stevesk  6921  6919  0 15:19:17 pts/2     0:00 -bash
5898937Sdes
5998937Sdesprocess 1005 is the sshd process listening for new connections.
6098937Sdesprocess 6917 is the privileged monitor process, 6919 is the user owned
6198937Sdessshd process and 6921 is the shell process.
6298937Sdes
63149749Sdes$Id: README.privsep,v 1.16 2005/06/04 23:21:41 djm Exp $
64