Re: How to verify Privilege Separation is working?

You can try to startup sshd manually on the command
line in debug mode on another port. i.e. /path/to/sshd
-D -p 9999 or whatever port you like.  Once you
connect to this daemon and disconnect it will die. 
Restart it to continue testing.  Optionally, pass it
the config file, or the specific config option.  This
will help you diagnose if you are even reading the
config file you think you are.

Jerry
QX19

--- Philip Le Riche <philip.leriche@virgin.net> wrote:

> Thanks!
>
> Just a few servers out of several dozen had neither
> the sshd user nor 
> /var/empty set up. I fixed that (sshd with login and
> remote login 
> disabled, /var/empty 755 root system) and rebooted.
> Launching a login 
> attempt having blanked the auto-login user name in
> putty still shows the 
> new process running as root. (Correctly set up
> systems show it nicely 
> running as sshd.) What more can I do to make sshd
> notice the corrected 
> config than a reboot? Do the sshd user and
> /var/empty need to exist 
> before installation? (I'm running AIX, by the way.)
>
> - Philip
>
> David Walker wrote:
>
> > ssh into your server to an account that requires a
> password or a non-existing 
> > account that prompts for a password.  Don't enter a
> password at this time but 
> > run your ps command (from another shell of course).
>  If privilege separation 
> > is operational then you will see an sshd process
> running under the separation 
> > account such as "sshd"
> >
> > On Friday 24 September 2004 02:59 am, Philip Le
> Riche wrote:
> >  
> >
> > > Hi -
> > >
> > > Is there a simple way to positively demonstrate
> that privilege
> > > separation is working? Running ps -fe shows all
> sshd processes running
> > > as root. If /var/empty doesn't exist, sshd still
> seems to work, but
> > > presumably without privilege separation. There may
> be other
> > > configuration errors which could have the same
> effect.
> > > (The reason I ask is that a vulnerability
> assessment has shown that I
> > > need to upgrade to OpenSSH 3.7.1 to avoid known
> vulnerabilities.
> > > However, rebuilding from source has run into
> problems with
> > > incompatible libraries since we're on an old
> version of AIX. No doubt
> > > these are fixable, given time my management may
> not allow me, but if I
> > > could positively demonstrate that privilege
> separation is working, I
> > > could argue that the risk is low and limited to
> DoS. Agreed?)
> > > - Philip
> > >    
> >
> >  
*******************************************************
> This email has originated from Steria Limited,
> Registration No: 2706218.
>
> Privileged, confidential and/or copyright
> information may be contained in this email, and is
> only for the use of the intended addressee. To copy,
> forward, disclose or otherwise use it in any way if
> you are not the intended recipient or responsible
> for delivering to him/her is prohibited.
>
> If you receive this email by mistake, please advise
> the sender immediately, by using the reply facility
> in your email software.
>
> We may monitor the content of emails sent and
> received via our network for the purposes of
> ensuring compliance with policies and procedures.
>
> This message is subject to and does not create or
> vary any contractual relationships between Steria
> Limited and the recipient.
>
> Office registered at: Three Cherry Trees Lane, Hemel
> Hempstead, Hertfordshire, HP2 7AH
> www.steria.co.uk
******************************************************


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com