Re: Root login in graphical enviroment

[Jamin W.Collins <jcollins@asgardsrealm.net>]

On 31 Jul 2002 23:25:25 +0800
"Crispin Wellington" <crispin@aeonline.net> wrote:

> Are there indeed? run 
> ps auxwww|grep sshd
> and tell me what user level yours is running at.

Sure the process is running as root, but take a look at your man page.

>From the man page:

     UsePrivilegeSeparation
             Specifies whether sshd separates privileges by creating an
             unprivileged child process to deal with incoming network
traffic.
             After successful authentication, another process will be
created
             that has the privilege of the authenticated user.  The goal
of
             privilege separation is to prevent privilege escalation by
con­
             taining any corruption within the unprivileged processes. 
The
             default is ``yes''.

> How do go about running at another user level, I ask you?

You don't need to, provided you are running the updated version,
UsePrivilegeSeparation is on by default as the man page indicates.

> clue_factor=0. Go read the Privilege Separation advisories again. 

I've read them, perhaps you should.

> Tell me. sshd version OpenSSH_3.4p1 Debian 1:3.4p1-1.
> /etc/ssh/sshd_config contains PermitRootLogin yes.

I've been against this from the start, and change it on all my systems. 
The package maintain seems to be stubborn about it from what I've seen.

> Can this sshd be compromised, or not?

If you're asking whether or not the default sshd_config settings can allow
for a system being compromised, IMHO most certainly.

-- 
Jamin W. Collins