[CentOS] defense-in-depth possible for sshd?

Adrian Sevcenco Adrian.Sevcenco at cern.ch
Tue Jan 10 10:02:01 UTC 2012

On 01/10/12 11:12, Bennett Haselton wrote:
> What about sshd -- assuming that the attacker can connect to sshd at all
> (i.e. not prevented by a firewall), if they find an exploit to let them
> take control of sshd, would that imply immediate total control of the
Specifies whether sshd(8) separates privileges by creating an 
unprivileged child process to deal with incoming network traffic. After 
successful authentication, another process will be created that has the 
privilege of the authenticated user.  The goal of privilege separation 
is to prevent privilege escalation by containing any corruption within 
the unprivileged processes.  The default is ``yes''. If 
UsePrivilegeSeparation is set to ``sandbox'' then the pre-authentication 
unprivileged process is subject to additional restrictions.


also selinux is everywhere this days... (default mechanism for 


More information about the CentOS mailing list