What is the significance of UsePrivilegeSeparation directive in /etc/ssh/sshd_config file and how to test it ?

Solution Unverified - Updated

Environment

  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 7
  • sshd

Issue

  • What is the practical use case for UsePrivilegeSeparation? How to test it ?
  • Is there any known impact of setting UsePrivilegeSeparation yes or one should avoid setting "UsePrivilegeSeparation" to "yes" ?
  • Is this directive compatible with pluggable authentication modules?

Resolution

  • What is the practical use case for UsePrivilegeSeparation?
    The below external link gives a good insight of this directive :-
    Content from www.citi.umich.edu is not included.Privilege Separated OpenSSH
    OR
    the below may be referred as well
    /usr/share/doc/openssh/README.privsep

  • How to test the use of this directive ?
    In pre-authentication phase one can see two sshd processes:

# ps axfZu | grep sshd
...
system_u:system_r:sshd_t:s0-s0:c0.c1023 root 4051     \_ sshd: root [priv]
system_u:system_r:sshd_net_t:s0-s0:c0.c1023 sshd 4052   \_ sshd: root [net]

pid 4051 is run as 'root' and does all operation which needs superuser privileges like authentication while pid 4052 is a child of 4051, and is run as 'sshd', is chrooted to /var/empty/sshd and does all network communication.

  • Is there any known impact of setting "UsePrivilegeSeparation yes" or at where we should avoid setting "UsePrivilegeSeparation" to "yes"?
    UsePrivilegeSeparation yes is the default. It should not be set to no.

Regarding Impact :-
Communication between the privileged and the unprivileged process is achieved by pipes. Shared memory stores state that can not be otherwise exported. The child has to ask the privileged parent to determine if authentication was successful or not. This Content from www.citi.umich.edu is not included.link gives further insight into this.

  • Is this directive compatible with pluggable authentication modules?
    "This feature does not work with pluggable authentication modules on the Solaris OE." The important part of this sentence is probably "on the Solaris OE". There's no problem using privilege separation and PAM in RHEL. It's been a default for a long time.
SBR
Product(s)
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.