From: Jim McDonald (jmcdon23@CSC.COM.AU)
Date: Wed Mar 05 2003 - 15:20:28 EST
Hi
Disabling privelege separation is not recommended as privelege separation
is
designed only to give root access where it is essential otherwise run as
user 'sshd' for the mudane stuff
These notes were for HP-UX.
AIX much the same except creating the user and group different.
use /var/empty rahter than <somewhere>/var/empty - it will work with
bullfreeware
I have seen notes where the group sshd is left out and it has a login
shell.
I prefer this way as it is tidy:
_________________________________________________
Privelege Separation
Privelege Separation is a recent default addition to ssh. If not
configured correctly the sshd will refuse to start. SSHD can be set in
debug mode to diagnose the problem. If sshd daemon is run in debug
mode the parent daemon will not die i.e you will not get the prompt
back because there will be no terminal to return the debug messages to.
Enabling Privelege Separation
See file README.privsep on what is required, in summary
You should do something like the following to prepare the privsep
preauth environment:
# mkdir /var/empty
# chown root:sys /var/empty
# chmod 755 /var/empty
# groupadd sshd
# useradd -g sshd -c 'sshd privsep' -d /var/empty -s
/bin/false sshd
i.e
create group sshd
create user sshd, comments = "sshd privsep", home directory =
/var/empty, startup program = /bin/false
/var/empty should not contain any files.
NOTE: /var/empty is the default if ssh is installed in
<somewhere>/opt/openssh then it will be located as a subdirectory i.e.
<somewhere>/opt/openssh/var/empty
Disabling Privelege Separation
Alternatively this facility can be disabled using by placing the line
UsePrivilegeSeparation no
to the <somewhere>/opt/openssh/etc/sshd_config file.
Regards
Jim McDonald
----------------------------------------------------------------------------------------
This email, including any attachments, is intended only for use by the
addressee(s) and may contain confidential and/or personal information and
may also be the subject of legal privilege. Any personal information
contained in this email is not to be used or disclosed for any purpose
other than the purpose for which you have received it. If you are not the
intended recipient, you must not disclose or use the information contained
in it. In this case, please let me know by return email, delete the message
permanently from your system and destroy any copies.
----------------------------------------------------------------------------------------
Toussi Davoud <davoud.toussi@EDB.COM>@Princeton.EDU> on 06/03/2003 02:23:50
AM
Please respond to IBM AIX Discussion List <aix-l@Princeton.EDU>
Sent by: IBM AIX Discussion List <aix-l@Princeton.EDU>
To: aix-l@Princeton.EDU
cc:
Subject: [aix-l] OpenSSH_3.5p1
Hi,
I'm trying to start sshd on AIX4.3.3ML10 without any luck!?
When I run "/etc/rc.openssh start" program exits with following errors:
Starting OpenSSH daemon on port 22
Privilege separation user sshd does not exist
rc.openssh: CMD: error detected in '/usr/local/sbin/sshd -f
/etc/openssh/sshd_config -h /etc/openssh/ssh_host_key'
The openssh software is downloaded from Bull site:
freeware.openssh.rte 3.5.0.0 COMMITTED SSH protocol suite of
network
Do you have any idea?
Regards
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 22:16:38 EDT