Re: [Leaf-devel] OpenSSH security

Wed, 03 Jul 2002 07:20:50 -0700 


Nathan Angelacos wrote:
> 
> >I'm curious about /etc/group modification?
> >
> >I've upgraded two (2) potato's and two (2) woody's.  Yes, there is a
> >new user in passwd/shadow; but, I do not have any new group for
> >sshd.
> >
> >Yes, I have seen the instructions for installing manually; but, I
> >cannot find a reason for the special group.
> >
> >What do you think?
> 
> Good question.  I wondered the same thing, figured "'cause Theo said
> so.." and dismissed it.  But after you asked, I checked the source...
> :-)
> 
> sshd.c in privsep_preauth_child does a setgid() from the sshd's
> primary group (in passwd) when setting up the chroot jail.  The
> manual instructions make sure that the uid:gid is sshd:sshd.
> So I guess "'cause Theo said so" works. :-)
> 
> I'm curious though, on your debian systems, what is the gid for the
> sshd user?  The sshd.c source seems to indicate that sshd will fail
> if the group doesn't exist.

OK, here is the debian position:

[a] # grep ssh /etc/passwd
    /etc/passwd:sshd:x:103:65534::/home/sshd:/bin/false

[b] # grep 65534 /etc/group
    nogroup:x:65534:

[c] According to the openssh sshd.8 manpage:

   /var/empty
        chroot(2) directory used by sshd during privilege separation in
        the pre-authentication phase.  The directory should not contain
        any files and must be owned by root and not group or world-
        writable.

[d] debian changed this at compile time to: /var/run/sshd

[e] So, there is *NO* requirement for group sshd.

[f] There is a requirement for an existing directory to which to chroot
-- he default is /var/empty .

Therefore, in my ssh v3.4p1 distribution for LEAF, I adding the sshd
user and using the debian nogroup group.  Regardless which way to go, an
*empty* /var/empty directory *MUST* exist!

hth

-- 

Best Regards,

mds
mds resource
888.250.3987

Dare to fix things before they break . . .

Our capacity for understanding is inversely proportional to how much we
think we know.  The more I know, the more I know I don't know . . .


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
No, I will not fix your computer.
http://thinkgeek.com/sf

_______________________________________________
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Reply via email to