[openssh-commits] [openssh] 01/01: Privsep is now required.

git+noreply at mindrot.org git+noreply at mindrot.org
Thu Sep 19 15:41:47 AEST 2019


This is an automated email from the git hooks/post-receive script.

dtucker pushed a commit to branch master
in repository openssh.

commit 5a273a33ca1410351cb484af7db7c13e8b4e8e4e
Author: Darren Tucker <dtucker at dtucker.net>
Date:   Thu Sep 19 15:41:23 2019 +1000

    Privsep is now required.
---
 INSTALL        |  8 ++++----
 README.privsep | 11 ++++-------
 2 files changed, 8 insertions(+), 11 deletions(-)

diff --git a/INSTALL b/INSTALL
index d0fa00e6..81476879 100644
--- a/INSTALL
+++ b/INSTALL
@@ -24,6 +24,10 @@ If you must use a non-position-independent libcrypto, then you may need
 to configure OpenSSH --without-pie.  Note that due to a bug in EVP_CipherInit
 OpenSSL 1.1 versions prior to 1.1.0g can't be used.
 
+To support Privilege Separation (which is now required) you will need
+to create the user, group and directory used by sshd for privilege
+separation.  See README.privsep for details.
+
 The remaining items are optional.
 
 NB. If you operating system supports /dev/random, you should configure
@@ -133,10 +137,6 @@ make install
 This will install the binaries in /opt/{bin,lib,sbin}, but will place the
 configuration files in /etc/ssh.
 
-If you are using Privilege Separation (which is enabled by default)
-then you will also need to create the user, group and directory used by
-sshd for privilege separation.  See README.privsep for details.
-
 If you are using PAM, you may need to manually install a PAM control
 file as "/etc/pam.d/sshd" (or wherever your system prefers to keep
 them).  Note that the service name used to start PAM is __progname,
diff --git a/README.privsep b/README.privsep
index 460e9056..d658c46d 100644
--- a/README.privsep
+++ b/README.privsep
@@ -5,13 +5,10 @@ escalation by containing corruption to an unprivileged process.
 More information is available at:
 	http://www.citi.umich.edu/u/provos/ssh/privsep.html
 
-Privilege separation is now enabled by default; see the
-UsePrivilegeSeparation option in sshd_config(5).
-
-When privsep is enabled, during the pre-authentication phase sshd will
-chroot(2) to "/var/empty" and change its privileges to the "sshd" user
-and its primary group.  sshd is a pseudo-account that should not be
-used by other daemons, and must be locked and should contain a
+Privilege separation is now mandatory.  During the pre-authentication
+phase sshd will chroot(2) to "/var/empty" and change its privileges to the
+"sshd" user and its primary group.  sshd is a pseudo-account that should
+not be used by other daemons, and must be locked and should contain a
 "nologin" or invalid shell.
 
 You should do something like the following to prepare the privsep

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.


More information about the openssh-commits mailing list