SUMMARY: OpenSsh 3.4 and privelege separation question

I asked:

> As a result of yesterday's CERT announcement, I have downloaded,
> compiled, and installed OpenSsh version 3.4p1 on my Ultra 10 (running
> Solaris 8) testbed.  However, to get it running I had to add two things
> which make a lot of sense, but I have not seen any documentation on what
> permissions are needed.
> 
> Initally, the new sshd did not start up because I hadn't created the
> sshd Privelege Separation user.  So I did.  However, I have not been
> able to find any indication of how that account is to be configured.  I
> created it with * for a password and /bin/false for a shell, but is
> there anything else that needs to be done?
> 
> Next, the new sshd did not start up because I had not created the
> /var/empty chroot jail directory.  So I did.  However, I was again
> unable to find any documentation on the ownership, permissions, etc on
> this directory.  I just created it owned by root, mode 0755.  OpenSsh
> 3.4p1 now appears to work.
> 
> So my question is:  what permissions are needed for the sshd account,
> and what ownership, permissions, etc are needed for the /var/empty
> directory?

The answer:

Although there is no reference to it in the README file, there is a new
README file with version 3.4.  README.privsep has the info I needed.  Now
if only that file was referenced in the INSTALL or main README file.  oh
well.

Thanks To:


Davorin Bengez <dbengez@xxxxxxxxxxxxxxx>

<john65@xxxxxxxxx>
Vincent <vb@xxxxxxxxxxxx>
Peter Evans <peter@xxxxxx>
Michael Hocke <mh103@xxxxxxx>
Tim Evans <tkevans@xxxxxxxxxxx>
Ramji Venkateswaran <rv@xxxxxxxx>
David Foster <foster@xxxxxxxxxxxx>
"Pardy, Brian" <BPardy@xxxxxxxxxxx>
"Thomas W. Holt Jr." <twh@xxxxxxxxxxxx>
Ben Lindstrom <mouring@xxxxxxxxxxxxxxxxxx>
"Olson, John C" <John.Olson@xxxxxxxxxxxxxxxx>

+-----------------------------------------------------------------------+
| Christopher L. Barnard         O     When I was a boy I was told that |
| cbarnard@xxxxxxxxxxxx         / \    anybody could become president.  |
| (312) 347-4901               O---O   Now I'm beginning to believe it. |
| http://www.cs.uchicago.edu/~cbarnard                --Clarence Darrow |
+----------PGP public key available via finger or PGP keyserver---------+