View previous topic :: View next topic |
Author |
Message |
Sujao l33t
Joined: 25 Sep 2004 Posts: 677 Location: Germany
|
Posted: Fri Sep 26, 2008 3:11 pm Post subject: [solved] sshd group usable? |
|
|
Hi,
I would like to let only people login via ssh that are in a "ssh" group. I found out that I already have the "sshd" group with gid 22 in /etc/group. I wonder whether this group is reserved for the ssh daemon or I can use it freely. My concern is that if I add somebody to sshd and the daemon uses this group in some way, this user could then manipulate the daemon because he has group permissions.
How can I check whether there is a security issue?
I didn't find any files belonging to group sshd, am I on the safe side then?
Last edited by Sujao on Wed Oct 08, 2008 9:27 pm; edited 1 time in total |
|
Back to top |
|
|
vuakko Tux's lil' helper
Joined: 09 May 2007 Posts: 138 Location: Helsinki, Finland
|
Posted: Sat Sep 27, 2008 1:25 am Post subject: |
|
|
I'm quite sure that the user/group sshd is the account sshd is run under. Idea is that, just as with any server, if it is run
under an account without any privileges, then a cracker gains little by cracking the ssh server. So just create a new group. |
|
Back to top |
|
|
Sujao l33t
Joined: 25 Sep 2004 Posts: 677 Location: Germany
|
Posted: Sat Sep 27, 2008 11:46 am Post subject: |
|
|
Well, I couldn't find any files belonging to sshd and the sshd process runs as root.
Code: | user@host ~ $ ps aux | grep sshd
user 847 0.0 0.0 5404 740 pts/5 R+ 13:44 0:00 grep --colour=auto sshd
root 11679 0.0 0.0 37564 1084 ? Ss Sep26 0:00 /usr/sbin/sshd |
|
|
Back to top |
|
|
manaka Apprentice
Joined: 23 Jul 2007 Posts: 178 Location: Spain
|
Posted: Tue Oct 07, 2008 9:30 pm Post subject: |
|
|
user and group sshd is used by the openssh daemon when compiled with privilege separation. It runs as such user during the transitory preauthentication phase. See http://article.gmane.org/gmane.network.openssh.devel/1677/match=openssh+privilege+separation+user+sshd for the full details.
You should create another group for the users allowed to login via ssh. _________________ Javier Miqueleiz
"Listen to your heart. It knows all things, because it came from the Soul of the World, and it will one day return there." |
|
Back to top |
|
|
Sujao l33t
Joined: 25 Sep 2004 Posts: 677 Location: Germany
|
Posted: Wed Oct 08, 2008 9:27 pm Post subject: |
|
|
great, thx for the info |
|
Back to top |
|
|
|