Center for Information Technology Integration   
Privilege Separated OpenSSH - FAQ

Frequently Asked Questions

In the following, I answer frequently asked questions that arise with privilege separation in OpenSSH.

OpenSSH terminates with fatal: Privilege separation user "sshd" does not exist

The child needs to change its user id to become unprivileged. You need to create a new user sshd and a new group sshd. In OpenBSD, these entries look as follows:

    /etc/passwd:sshd:*:27:27:sshd privsep:/var/empty:/sbin/nologin

Why is compression disabled when I use privilege separation?

On some platforms, OpenSSH shows the following message:

    This platform does not support both privilege separation and compression
    Compression disabled

These platforms do not support anonymous shared memory that is required to export the compression state between the unprivileged child and the privileged monitor process.

Privilege separation is still enabled but compression can not be requested.

How do I disable privilege separation?

It is possible to disable privilege separation by inserting the following line into sshd_config:

    UsePrivilegeSeparation no

This is not recommend because privilege separation is a valuable security feature that has already prevented exploitation of unknown vulnerabilities.

If you have other questions that you would like to see answered here, please let me know.



Questions and Comments:
Niels Provos
Last modified: Tue Jan 14 13:47:23 EST 2003
  You can keep me happy while hacking by reducing my Wishlists: Books, Music