[CentOS] defense-in-depth possible for sshd?
Adrian Sevcenco
Adrian.Sevcenco at cern.chTue Jan 10 10:02:01 UTC 2012
- Previous message: [CentOS] defense-in-depth possible for sshd?
- Next message: [CentOS] defense-in-depth possible for sshd?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 01/10/12 11:12, Bennett Haselton wrote: > What about sshd -- assuming that the attacker can connect to sshd at all > (i.e. not prevented by a firewall), if they find an exploit to let them > take control of sshd, would that imply immediate total control of the UsePrivilegeSeparation Specifies whether sshd(8) separates privileges by creating an unprivileged child process to deal with incoming network traffic. After successful authentication, another process will be created that has the privilege of the authenticated user. The goal of privilege separation is to prevent privilege escalation by containing any corruption within the unprivileged processes. The default is ``yes''. If UsePrivilegeSeparation is set to ``sandbox'' then the pre-authentication unprivileged process is subject to additional restrictions. http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5 also selinux is everywhere this days... (default mechanism for "defense-in-depth") HTH, Adrian
- Previous message: [CentOS] defense-in-depth possible for sshd?
- Next message: [CentOS] defense-in-depth possible for sshd?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the CentOS mailing list