HPE Community
Operating System - HP-UX
1820636 Members
1736 Online
109626 Solutions
New Discussion юеВ

sshd errors

 
SOLVED
Go to solution
Jeddel Yeras
Advisor

тАО08-11-2003 04:56 PM

тАО08-11-2003 04:56 PM

sshd errors

Hi Folks!

I installed OpenSSH via depot from http://hpux.cs.utah.edu/ along with all the other dependencies... I generated my keys and tried to start the daemon when I receive the following:

# ./sshd
Privilege separation user sshd does not exist
#

I'm not sure what the means or how to work around it... did I miss a step?

Thanks!

J.
0 Kudos
Reply
5 REPLIES 5
Michael Tully
Honored Contributor

тАО08-11-2003 05:21 PM

тАО08-11-2003 05:21 PM

Solution

Re: sshd errors

Your better off using the openssh offering from:
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=T1471AA

It will create the appropriate startup files as well. You can start them as /sbin/init.d/sshd.rc start. The authorized key file will need to be copied to the remote system, from the identity file on the server initiating the request.
Anyone for a Mutiny ?
Reply
U.SivaKumar_2
Honored Contributor

тАО08-11-2003 08:49 PM

тАО08-11-2003 08:49 PM

Re: sshd errors

Hi,

The error means you have enable privelege separation in sshd_config. To disable it edit sshd_config and modify this line.

UsePrivilegeSeparation no

save the file and start sshd again.

regards,

U.SivaKumar






Innovations are made when conventions are broken
Reply
Ralph Grothe
Honored Contributor

тАО08-11-2003 09:09 PM

тАО08-11-2003 09:09 PM

Re: sshd errors

I'm not sure if privilege separation (PS) is only a matter of unsetting it in the daemon's config file.
If my memory serves me correctly (I also once stumbled over PS) it is already set during compile time through a certain configure switch that builds the appropiate makefile.
Anyway, look for the README and INSTALL files that came with the package.
There it should be outlined what needs to be done to enable PS.
I think it was that you had to create a certain user under whose uid the sshd process runs, and which is very limited in its privileges (similar to nobody or www for a webserver).
Then you will also have to create a certain directory for this sshd proc where it can cd into and chroot (usually somewhere under /var).
It has to be owned by the sshd uid and only serves as a sandbox, i.e. no file space is needed (except what the inodes require).
As said, it should say what to do in the README.
Generally I think PS is a good idea, as it increases security and minimizes the vulnerability of the sshd.
Madness, thy name is system administration
Reply
Jeddel Yeras
Advisor

тАО08-12-2003 04:49 AM

тАО08-12-2003 04:49 AM

Re: sshd errors

Thanks again, guys :)

I installed HP's version of SSH and it works like a charm!

I tried making the other changes suggested to the openssh configuration, but that still didn't work...

J.
0 Kudos
Reply
Andrew Cowan
Honored Contributor

тАО08-12-2003 09:55 PM

тАО08-12-2003 09:55 PM

Re: sshd errors

Hi J,

All you had to do was to create a user account "sshd" and everything would have worked. I'm glad your up and running now though :)

Interestingly I am always arguing in these forumns against simply installing the default version, and this proves the point nicely. Had you simply downloaded and installed from the depot, then you would never have been aware of this feature, or even of any possible security benefits.

I apologise if I sound like a "smart-ass", but in security "complexity and ignorance" can be even greater enemies than hackers.
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.