https://community.hpe.com/t5/operating-system-hp-ux/sshd-errors/m-p/3046847#M135609 I'm not sure if privilege separation (PS) is only a matter of unsetting it in the daemon's config file.<BR />If my memory serves me correctly (I also once stumbled over PS) it is already set during compile time through a certain configure switch that builds the appropiate makefile.<BR />Anyway, look for the README and INSTALL files that came with the package.<BR />There it should be outlined what needs to be done to enable PS.<BR />I think it was that you had to create a certain user under whose uid the sshd process runs, and which is very limited in its privileges (similar to nobody or www for a webserver).<BR />Then you will also have to create a certain directory for this sshd proc where it can cd into and chroot (usually somewhere under /var).<BR />It has to be owned by the sshd uid and only serves as a sandbox, i.e. no file space is needed (except what the inodes require).<BR />As said, it should say what to do in the README.<BR />Generally I think PS is a good idea, as it increases security and minimizes the vulnerability of the sshd. Tue, 12 Aug 2003 04:09:24 GMT Ralph Grothe 2003-08-12T04:09:24Z https://community.hpe.com/t5/operating-system-hp-ux/sshd-errors/m-p/3046844#M135606 Hi Folks!<BR /><BR />I installed OpenSSH via depot from <A href="http://hpux.cs.utah.edu/" target="_blank">http://hpux.cs.utah.edu/</A> along with all the other dependencies... I generated my keys and tried to start the daemon when I receive the following:<BR /><BR /># ./sshd<BR />Privilege separation user sshd does not exist<BR /># <BR /><BR />I'm not sure what the means or how to work around it... did I miss a step?<BR /><BR />Thanks!<BR /><BR />J.<BR /> Mon, 11 Aug 2003 23:56:32 GMT https://community.hpe.com/t5/operating-system-hp-ux/sshd-errors/m-p/3046844#M135606 Jeddel Yeras 2003-08-11T23:56:32Z https://community.hpe.com/t5/operating-system-hp-ux/sshd-errors/m-p/3046845#M135607 Your better off using the openssh offering from: <BR /><A href="http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=T1471AA" target="_blank">http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=T1471AA</A><BR /><BR />It will create the appropriate startup files as well. You can start them as /sbin/init.d/sshd.rc start. The authorized key file will need to be copied to the remote system, from the identity file on the server initiating the request. Tue, 12 Aug 2003 00:21:38 GMT https://community.hpe.com/t5/operating-system-hp-ux/sshd-errors/m-p/3046845#M135607 Michael Tully 2003-08-12T00:21:38Z https://community.hpe.com/t5/operating-system-hp-ux/sshd-errors/m-p/3046846#M135608 Hi,<BR /><BR />The error means you have enable privelege separation in sshd_config. To disable it edit sshd_config and modify this line.<BR /><BR />UsePrivilegeSeparation no<BR /><BR />save the file and start sshd again.<BR /><BR />regards,<BR /><BR />U.SivaKumar<BR /><BR /><BR /><BR /><BR /><BR /><BR /> Tue, 12 Aug 2003 03:49:01 GMT https://community.hpe.com/t5/operating-system-hp-ux/sshd-errors/m-p/3046846#M135608 U.SivaKumar_2 2003-08-12T03:49:01Z https://community.hpe.com/t5/operating-system-hp-ux/sshd-errors/m-p/3046847#M135609 I'm not sure if privilege separation (PS) is only a matter of unsetting it in the daemon's config file.<BR />If my memory serves me correctly (I also once stumbled over PS) it is already set during compile time through a certain configure switch that builds the appropiate makefile.<BR />Anyway, look for the README and INSTALL files that came with the package.<BR />There it should be outlined what needs to be done to enable PS.<BR />I think it was that you had to create a certain user under whose uid the sshd process runs, and which is very limited in its privileges (similar to nobody or www for a webserver).<BR />Then you will also have to create a certain directory for this sshd proc where it can cd into and chroot (usually somewhere under /var).<BR />It has to be owned by the sshd uid and only serves as a sandbox, i.e. no file space is needed (except what the inodes require).<BR />As said, it should say what to do in the README.<BR />Generally I think PS is a good idea, as it increases security and minimizes the vulnerability of the sshd. Tue, 12 Aug 2003 04:09:24 GMT https://community.hpe.com/t5/operating-system-hp-ux/sshd-errors/m-p/3046847#M135609 Ralph Grothe 2003-08-12T04:09:24Z https://community.hpe.com/t5/operating-system-hp-ux/sshd-errors/m-p/3046848#M135610 Thanks again, guys :)<BR /><BR />I installed HP's version of SSH and it works like a charm!<BR /><BR />I tried making the other changes suggested to the openssh configuration, but that still didn't work...<BR /><BR />J. Tue, 12 Aug 2003 11:49:53 GMT https://community.hpe.com/t5/operating-system-hp-ux/sshd-errors/m-p/3046848#M135610 Jeddel Yeras 2003-08-12T11:49:53Z https://community.hpe.com/t5/operating-system-hp-ux/sshd-errors/m-p/3046849#M135611 Hi J,<BR /><BR />All you had to do was to create a user account "sshd" and everything would have worked. I'm glad your up and running now though :)<BR /><BR />Interestingly I am always arguing in these forumns against simply installing the default version, and this proves the point nicely. Had you simply downloaded and installed from the depot, then you would never have been aware of this feature, or even of any possible security benefits.<BR /><BR />I apologise if I sound like a "smart-ass", but in security "complexity and ignorance" can be even greater enemies than hackers.<BR /> Wed, 13 Aug 2003 04:55:23 GMT https://community.hpe.com/t5/operating-system-hp-ux/sshd-errors/m-p/3046849#M135611 Andrew Cowan 2003-08-13T04:55:23Z