[CentOS] defense-in-depth possible for sshd?
Adrian Sevcenco
Adrian.Sevcenco at cern.ch
Tue Jan 10 10:02:01 UTC 2012
On 01/10/12 11:12, Bennett Haselton wrote:
> What about sshd -- assuming that the attacker can connect to sshd at all
> (i.e. not prevented by a firewall), if they find an exploit to let them
> take control of sshd, would that imply immediate total control of the
UsePrivilegeSeparation
Specifies whether sshd(8) separates privileges by creating an
unprivileged child process to deal with incoming network traffic. After
successful authentication, another process will be created that has the
privilege of the authenticated user. The goal of privilege separation
is to prevent privilege escalation by containing any corruption within
the unprivileged processes. The default is ``yes''. If
UsePrivilegeSeparation is set to ``sandbox'' then the pre-authentication
unprivileged process is subject to additional restrictions.
http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5
also selinux is everywhere this days... (default mechanism for
"defense-in-depth")
HTH,
Adrian
More information about the CentOS
mailing list