-
Frequently Asked Questions
In the following, I answer frequently asked questions that arise with
privilege separation in OpenSSH.
OpenSSH terminates with fatal: Privilege separation user "sshd" does not exist
The child needs to change its user id to become unprivileged. You need
to create a new user sshd and a new group sshd.
In OpenBSD, these entries look as follows:
/etc/group:sshd:*:27:
/etc/passwd:sshd:*:27:27:sshd privsep:/var/empty:/sbin/nologin
Why is compression disabled when I use privilege separation?
On some platforms, OpenSSH shows the following message:
This platform does not support both privilege separation and compression
Compression disabled
These platforms do not support anonymous shared memory that is required
to export the compression state between the unprivileged child and the
privileged monitor process.
Privilege separation is still enabled but compression can not be requested.
How do I disable privilege separation?
It is possible to disable privilege separation by inserting the following
line into sshd_config:
UsePrivilegeSeparation no
This is not recommend because privilege separation is a valuable
security feature that has already prevented exploitation of
unknown vulnerabilities.
If you have other questions that you would like to see answered here,
please let me know.
|
|