On Thu, Jun 27, 2002 at 11:39:32AM +0200, Steffen Dettmer wrote:
Seems that it does not work for me. I upgraded as described, but didn't found a chrooted or setuid=sshd process after restarting sshd.
You're getting something wrong here. The user sshd is just used during the authentication-process. http://www.citi.umich.edu/u/provos/ssh/priv.jpg shows it pretty well. In that picture previlidged == root, unprevilidged == sshd and user previlidged == as whatever user you want to login. Keep in mind, that bind to ports < 1024 root previledges are needed. I'll try to explain the priv-sep process: A with root previledges running sshd process listens on port 22. When someone tries to login via ssh, this sshd forks, chroot()s to /var/empty and changes his uid to the uid of the user sshd. At this time the forked process running as user:sshd takes care about the networktraffic that's needed for the auth-process and sends the results to the as root running process. When the authentication is done, the as root running sshd forks another child. The childs uid is changed to the uid of the user logging in. Now the as user:sshd running process is no longer needed. You can observe it by doing this: Let's say erde is our local computer and merkur the remote one. homy@erde:~ > lsof | grep -E "^sshd[ 0-9]*sshd" homy@erde:~ > As you can see, there's no process running that has the uid of the user:sshd. homy@merkur:~ > ssh erde homy@erde's password: Wait there, don't enter the password. homy@erde:~ > lsof | grep -E "^sshd[ 0-9]*sshd" sshd 3054 sshd mem REG 3,5 306256 48616 /usr/sbin/sshd sshd 3054 sshd mem REG 3,2 99756 31020 /lib/ld-2.2.5.so sshd 3054 sshd mem CHR 1,5 48632 /dev/zero [...] As you can see we're now in the authentication process and we have indeed a process that uses user:sshd's uid. erde:~ # ls -i /proc/3054/root 95975 . 46465 .. erde:~ # ls -i /var/empty 95975 . 46465 .. As you can see here, this process's / indeed is chroot()ed to /var/empty. I hope this helps a bit. Cheers, Frank Heimann -- -- -- | "The price of freedom is eternal vigilance." | | -- Thomas Jefferson | | ------------------------------------------------------------- | |"If we want to avoid zombies, we have to wait for our children"| | -- W. Richard Stevens, | | in "Advanced Programming in the UNIX Environment", p. 281 | -- -- My public key is available at http://www.unixisnot4dummies.org/homy.pgp