mirror of
git://anongit.mindrot.org/openssh.git
synced 2024-11-27 05:46:36 +08:00
Privsep is now required.
This commit is contained in:
parent
8aa2aa3cd4
commit
5a273a33ca
8
INSTALL
8
INSTALL
@ -24,6 +24,10 @@ If you must use a non-position-independent libcrypto, then you may need
|
||||
to configure OpenSSH --without-pie. Note that due to a bug in EVP_CipherInit
|
||||
OpenSSL 1.1 versions prior to 1.1.0g can't be used.
|
||||
|
||||
To support Privilege Separation (which is now required) you will need
|
||||
to create the user, group and directory used by sshd for privilege
|
||||
separation. See README.privsep for details.
|
||||
|
||||
The remaining items are optional.
|
||||
|
||||
NB. If you operating system supports /dev/random, you should configure
|
||||
@ -133,10 +137,6 @@ make install
|
||||
This will install the binaries in /opt/{bin,lib,sbin}, but will place the
|
||||
configuration files in /etc/ssh.
|
||||
|
||||
If you are using Privilege Separation (which is enabled by default)
|
||||
then you will also need to create the user, group and directory used by
|
||||
sshd for privilege separation. See README.privsep for details.
|
||||
|
||||
If you are using PAM, you may need to manually install a PAM control
|
||||
file as "/etc/pam.d/sshd" (or wherever your system prefers to keep
|
||||
them). Note that the service name used to start PAM is __progname,
|
||||
|
@ -5,13 +5,10 @@ escalation by containing corruption to an unprivileged process.
|
||||
More information is available at:
|
||||
http://www.citi.umich.edu/u/provos/ssh/privsep.html
|
||||
|
||||
Privilege separation is now enabled by default; see the
|
||||
UsePrivilegeSeparation option in sshd_config(5).
|
||||
|
||||
When privsep is enabled, during the pre-authentication phase sshd will
|
||||
chroot(2) to "/var/empty" and change its privileges to the "sshd" user
|
||||
and its primary group. sshd is a pseudo-account that should not be
|
||||
used by other daemons, and must be locked and should contain a
|
||||
Privilege separation is now mandatory. During the pre-authentication
|
||||
phase sshd will chroot(2) to "/var/empty" and change its privileges to the
|
||||
"sshd" user and its primary group. sshd is a pseudo-account that should
|
||||
not be used by other daemons, and must be locked and should contain a
|
||||
"nologin" or invalid shell.
|
||||
|
||||
You should do something like the following to prepare the privsep
|
||||
|
Loading…
Reference in New Issue
Block a user