On 01/10/2012 01:12 AM, Bennett Haselton wrote: > What about sshd -- assuming that the attacker can connect to sshd at all > (i.e. not prevented by a firewall), if they find an exploit to let them > take control of sshd, would that imply immediate total control of the > machine? Yes, but the question itself ignores the extensive security that accompanies sshd. OpenSSH's server already features defense-in-depth. OpenSSH's server features privilege separation, a mechanism in which the network connections and encryption are handled by a process which is unprivileged. Attacks against connection handling or encryption won't get you root access. OpenSSH's server code has been thoroughly audited for security. Red Hat's build of OpenSSH's server features an SELinux policy. Attacks which require system access not granted by the policy won't work. All of Red Hat's systems feature shared lib address randomization, to protect against stack attacks. Your hypothetical attack that takes control of sshd would have to defeat a number of levels of defense. You compared sshd to httpd, which runs as a non-root user, but ignore that its *purpose* is to grant shell access to the system. No matter what additional layers you add to sshd, a successful attack is going to grant shell access, because that's the purpose of the daemon. You can't lower the privilege level of sshd to the point that an attacker can't get a shell (which is what was done to httpd) without making the service useless.