Re: privsep checking

["Kevin" <openbsdnow@hotmail.com>]

Is this the case on older versions of OBSD and the portable version, too?

I show the [priv] working as advertised on a 3.1OBSD privsep enabled box,
but it doesn't show up that way on a 2.9OBSD box or in the portable version
I have running on a Linux box. In each case, I've taken the same steps to
enable privsep after installing a new sshd on each:

1. add sshd user
2. add /var/empty
3. turn on privsep in respective /etc/sshd_config (or /etc/ssh/sshd_config)
files
4. restart sshd
5. ensure proper (i.e. newest) version is being run (using scanssh)
6. login to box using non root user account
7. ps -aux | grep ssh

Here are OpenSSH versions running on each:
2.9OBSD: openssh-3.3.tgz (patched with openbsd29_3.3.patch)
3.1OBSD: openssh-3.3.tgz (patched with openbsd31_3.3.patch)
portable(Linux): openssh-3.3p1.tar.gz

Any thoughts?


----- Original Message -----
From: "Theo de Raadt" <deraadt@cvs.openbsd.org>
To: "Ted U" <grendel@heorot.stanford.edu>
Cc: <misc@openbsd.org>
Sent: Monday, June 24, 2002 07:04 PM
Subject: Re: privsep checking


> > Is there some method to verify that sshd is running in privsep mode?
>
> Do a non-root ssh to the machine in question.
>
> On the machine in question, see if ps shows two entries for that
connection:
>
> Like this:
>
> deraadt   4676  0.0  0.0   400  1040 ??  I     Thu10PM    0:00.01 sshd:
deraadt@ttyp0 (sshd)
> root      9269  0.0  0.0   396  1228 ??  Is    Thu10PM    0:00.03 sshd:
deraadt [priv] (sshd)
>
>
> See the [priv]?
>
> That's your sign.