Re: openssh sshd user vs. group ???
Derrick 'dman' Hudson wrote:
>
> On Tue, Jul 02, 2002 at 11:07:57PM -0500, Michael D. Schleif wrote:
>
> | OpenSSH_3.4p1 Debian 1:3.4p1-0.0woody1, SSH protocols 1.5/2.0, OpenSSL
> | 0x0090603f
> |
> | According to the docs, supposing that I were to compile this by hand, I
> | would need to create *both* an sshd user and an sshd group.
> |
> | Installing via apt-get, the sshd user is added; but, there is *NO* sshd
> | group!
> |
> | Nevertheless, sshd is working on four (4) boxen without incident nor
> | error log.
> |
> | What am I missing?
>
> The package uses the group 'nogroup'.
>
> $ grep sshd /etc/passwd
> sshd:x:106:65534::/home/sshd:/bin/false
> ^^^^^
Yes, I see that; but, the documented process appears to me to be broken
;<
>From README.privsep:
``When privsep is enabled, during the pre-authentication phase sshd will
chroot(2) to "/var/empty" and change its privileges to the "sshd" user
and its primary group. sshd is a pseudo-account that should not be used
by other daemons, and must be locked and should contain a "nologin" or
invalid shell.''
The apt-get install process created that same sshd user; but, there is
*NO* /home/sshd directory.
So, how can the ``pre-authentication'' process chroot to a non-existing
directory?
Why did the debian maintainer elect to not follow that readme?
What am I missing?
--
Best Regards,
mds
mds resource
888.250.3987
Dare to fix things before they break . . .
Our capacity for understanding is inversely proportional to how much we
think we know. The more I know, the more I know I don't know . . .
--
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: