After recompiling ssh for my sol8 box, i wanted to start sshd.
But I get this very strange message ( it's in english, but doesn't mean anytrhing to me!!):
Privilege separation user sshd does not exist
Does this mean i have to create a user "sshd" seams strange to me...
For those of you who understand what that means, i don't know if it will be of any help, to give the error code ($?=255)...
Any other ideas?
One of my fellow workers, a UNIX expert (someday to be guru) says yes. He said to take a look at Sunfreeware.com openssh for complete info on set up. Something about setting up a user and empty directory (look at Step Three on the web page).
its because sshd wants to be run as the user named ssh. It didnt make the user when you installed. I dont know what you will have to do to make the user ssh, as its a special user.
Thanx both of you!
I had to create the user sshd, here's what I did:
mkdir /var/empty
chown root:sys /var/empty
chmod 755 /var/empty
groupadd sshd
useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd
Thanx for all help!
Recent versions of OpenSSH include a feature called Privilege Separation. This allows as much of sshd as possible to run as a non-privileged user (sshd), rather than as root.
In previous versions, you may notice that each SSH connection spawns an individual sshd process as the root user. Current versions with privilege separation enabled will spawn one process as the root user, which runs as little code as possible. This process is chrooted in /var/empty, which should be an empty, restricted directory. A second process is spawned as the login user, which contains code that does not need escalated privileges to run. This is a preventitive measure; any bugs/exploits found in the sshd code are now more likely to be found in portions of the code that are running as a non-privileged user, hindering an attacker's ability to gain root privileges on the machine.
Privilege separation may be disabled in sshd_config with:
UsePrivilegeSeparation no
Another problem i noticed:
I'm working on a Solaris 9 for test, and ssh is installed natively.
When i try to pass a ssh command, here's what i get:
$ ssh mouton uname -a
root mouton's password: ******
SunOS mouton 5.9 Generic sun4m sparc
SUNW,SPARCstation-20
Here's my sshd_config:
Port 22
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
ServerKeyBits 768
LoginGraceTime 600
KeyRegenerationInterval 3600
PermitRootLogin yes
SyslogFacility LOCAL6
LogLevel INFO
RhostsAuthentication no
What should i modify to get directly the result without entering the root password?
Thanx...
If you need to log in as a user other than the current username on the local side (e.g. you're logged in as penguin, and want to log in to the remote machine as tux, not penguin), specify the username either with the -l (login) option, or username@host format.
$ ssh tux@mouton uname -a
or
$ ssh -l tux mouton uname -a
If you're wanting to run remote commands without entering your password every time, read up on SSH public-key authentication. When you have your public-key auth set up correctly between the two machines, use ssh-agent(1) to store your password locally, and authenticate you to other servers. The ssh-agent program will prompt you only once for your private key passphrase, then do authentication to other machines for you until you kill the ssh-agent process.
If you create your private key without a passphrase (by pressing Enter when prompted for passphrase), it will be unencrypted and you will never need to input a passphrase to decrypt your private key for authentication. I do not recommend this method when it can be avoided, for the obvious security reasons (if someone obtains access to the file, it is unprotected and they will be able to authenticate as you to other machines).
Thanx kjd, but that it is not my problem.
I have created a config file under ~/.ssh/ where i specify the default user( in my case, root).
my real question is: why does the remote machine ask for root's login password?
jason
Just use
UsePrivilegeSepration no
in .../sshd_config
AND
if you want to log in without the password of the target user just use public key authentication. Create pub. key pairs with ssh-keygen and copy your public key into .ssh/authorized_keys file under the home dir of the target user on any host. Then u will be asked for the passphrase of your priv. key and not for his/her password. And if you use ssh-agent and tell it the passphrase of your secret key and use the option -A (auth. agent forwarding) then u can log in without typing and passwords or passphrases etc. But be careful.
Please note that I assume u use OpenSSH...