You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've recently built openssh and learned the following: sshd privilege separation feature requires specific "privsep" directory (sshd chroot) ownership & permissions to be applied.
path to privsep dir differs between common distributions: /var/empty/sshd(RHEL) or /var/run/sshd (Debian) or xxx if ./configure --with-privsep-path=xxx
owned by root or yyy if ./configure --with-privsep-user=yyy
additional permissions: not readable/writable by group and "others"
I am not sure on the following bonus assumptions:
sshd system user must (?) exist with home directory == privsep directory and a "nologin" shell, so in sum it must not be able to read/write from/to the privsep directory*
Hi,
I've recently built openssh and learned the following: sshd privilege separation feature requires specific "privsep" directory (sshd chroot) ownership & permissions to be applied.
/var/empty/sshd
(RHEL) or/var/run/sshd
(Debian) or xxx if./configure --with-privsep-path=xxx
root
or yyy if./configure --with-privsep-user=yyy
I am not sure on the following bonus assumptions:
sshd
system user must (?) exist with home directory == privsep directory and a "nologin" shell, so in sum it must not be able to read/write from/to the privsep directory*So if sshd
UsePrivilegeSeparation
is enabled - which is true on common Linux distributions - the privdir requirements above should be verified aswell.Do you think such checks make sense as an addition to https://github.com/dev-sec/ssh-baseline/blob/master/controls/sshd_spec.rb#L186 ? Or linux-baseline? Or not at all?
Best Regards,
Markus
The text was updated successfully, but these errors were encountered: