Nathan Angelacos wrote: > > >I'm curious about /etc/group modification? > > > >I've upgraded two (2) potato's and two (2) woody's. Yes, there is a > >new user in passwd/shadow; but, I do not have any new group for > >sshd. > > > >Yes, I have seen the instructions for installing manually; but, I > >cannot find a reason for the special group. > > > >What do you think? > > Good question. I wondered the same thing, figured "'cause Theo said > so.." and dismissed it. But after you asked, I checked the source... > :-) > > sshd.c in privsep_preauth_child does a setgid() from the sshd's > primary group (in passwd) when setting up the chroot jail. The > manual instructions make sure that the uid:gid is sshd:sshd. > So I guess "'cause Theo said so" works. :-) > > I'm curious though, on your debian systems, what is the gid for the > sshd user? The sshd.c source seems to indicate that sshd will fail > if the group doesn't exist.
OK, here is the debian position: [a] # grep ssh /etc/passwd /etc/passwd:sshd:x:103:65534::/home/sshd:/bin/false [b] # grep 65534 /etc/group nogroup:x:65534: [c] According to the openssh sshd.8 manpage: /var/empty chroot(2) directory used by sshd during privilege separation in the pre-authentication phase. The directory should not contain any files and must be owned by root and not group or world- writable. [d] debian changed this at compile time to: /var/run/sshd [e] So, there is *NO* requirement for group sshd. [f] There is a requirement for an existing directory to which to chroot -- he default is /var/empty . Therefore, in my ssh v3.4p1 distribution for LEAF, I adding the sshd user and using the debian nogroup group. Regardless which way to go, an *empty* /var/empty directory *MUST* exist! hth -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek No, I will not fix your computer. http://thinkgeek.com/sf _______________________________________________ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel