[openssh-commits] [openssh] branch master updated: more config option details in README.privsep

git+noreply at mindrot.org git+noreply at mindrot.org
Fri Jul 3 14:16:31 AEST 2026


This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

The following commit(s) were added to refs/heads/master by this push:
     new c123ac1c5 more config option details in README.privsep
c123ac1c5 is described below

commit c123ac1c579212c08c17d927cb8e379d45f9fccb
Author: Damien Miller <djm at mindrot.org>
AuthorDate: Fri Jul 3 14:16:29 2026 +1000

    more config option details in README.privsep
---
 README.privsep | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/README.privsep b/README.privsep
index f8602ccd3..da9c2d316 100644
--- a/README.privsep
+++ b/README.privsep
@@ -112,7 +112,10 @@ separation:
 Controls the sandboxing implementation used by sshd-auth. OS level
 sandboxing is supported on a number of platforms. A fallback
 rlimit(2)-based sandbox provides some basic control on a wider set
-of platforms.
+of platforms. Most supported sandboxes are detected and enabled
+automatically, so this option is mostly used to disable the sandbox
+(this is handy when debugging or running under tools like
+AddressSanitizer).
 
     --with-privsep-user=user
 
@@ -121,14 +124,15 @@ before it starts handling untrusted data. This user must not be
 shared with any other system service, should own no files, should
 have a locked password, a shell that denies access (such as
 /bin/nologin or /bin/false) and the home directory set to the
-privilege separation path.
+privilege separation path. For most platforms the default user is
+"sshd".
 
     --with-privsep-path=/path
 
 Controls the directory that sshd-auth will chroot(2) to before
 dropping privileges. This directory should be empty, not shared
 with other system accounts and not readable or writable by the
-sandbox user.
+sandbox user. The default privsep path is "/var/empty".
 
 You should do something like the following to prepare the privsep
 preauth environment:

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.


More information about the openssh-commits mailing list