Thanks!
Just a few servers out of several dozen had neither the sshd user nor
/var/empty set up. I fixed that (sshd with login and remote login
disabled, /var/empty 755 root system) and rebooted. Launching a login
attempt having blanked the auto-login user name in putty still shows the
new process running as root. (Correctly set up systems show it nicely
running as sshd.) What more can I do to make sshd notice the corrected
config than a reboot? Do the sshd user and /var/empty need to exist
before installation? (I'm running AIX, by the way.)
- Philip
David Walker wrote:
ssh into your server to an account that requires a password or a non-existing
account that prompts for a password. Don't enter a password at this time but
run your ps command (from another shell of course). If privilege separation
is operational then you will see an sshd process running under the separation
account such as "sshd"
On Friday 24 September 2004 02:59 am, Philip Le Riche wrote:
Hi -
Is there a simple way to positively demonstrate that privilege
separation is working? Running ps -fe shows all sshd processes running
as root. If /var/empty doesn't exist, sshd still seems to work, but
presumably without privilege separation. There may be other
configuration errors which could have the same effect.
(The reason I ask is that a vulnerability assessment has shown that I
need to upgrade to OpenSSH 3.7.1 to avoid known vulnerabilities.
However, rebuilding from source has run into problems with
incompatible libraries since we're on an old version of AIX. No doubt
these are fixable, given time my management may not allow me, but if I
could positively demonstrate that privilege separation is working, I
could argue that the risk is low and limited to DoS. Agreed?)
- Philip
*******************************************************
This email has originated from Steria Limited, Registration No: 2706218.
Privileged, confidential and/or copyright information may be contained in this
email, and is only for the use of the intended addressee. To copy, forward,
disclose or otherwise use it in any way if you are not the intended recipient
or responsible for delivering to him/her is prohibited.
If you receive this email by mistake, please advise the sender immediately, by
using the reply facility in your email software.
We may monitor the content of emails sent and received via our network for the
purposes of ensuring compliance with policies and procedures.
This message is subject to and does not create or vary any contractual
relationships between Steria Limited and the recipient.
Office registered at: Three Cherry Trees Lane, Hemel Hempstead, Hertfordshire,
HP2 7AH
www.steria.co.uk
******************************************************
