Jesse Tie-Ten-Quee highos at
Tue Jun 25 19:13:10 PDT 2002


On Tue, Jun 25, 2002 at 12:44:02PM +0100, James Spinks wrote:
> Setting PrivilegeSeparation to on causes large portions of the daemon
> to run in a so-called "chroot jail", i.e. in a very restricted environment.
> An attacker breaking this part of the SSH daemon will *not* obtain full
> root privilege (as he would if sshd runs without this option), but
> will find himself in an empty directory, inside a process running as
> a non privileged user (he can still do some harm this way, but it's
> a far cry from full root powers, of course). 

Actually that's the default on 3.3p1.  And I just had a nightmare for the
past 3 hours fighting with it because of that fact.

Short version:  If you are running a linux kernel 2.2 box and want to
use 3.3p1, disable UsePrivilegeSeparation in sshd_config to get the old
tried and true method, or disable Compression to be able to use the
UsePrivilegeSeparation properly.


Jesse Tie-Ten-Quee  ( highos at linuxfromscratch dot org )
Unsubscribe: send email to listar at
and put 'unsubscribe lfs-security' in the subject header of the message

More information about the lfs-security mailing list