How OpenSSH implements privilege separation

5 points by rrampage


jcspencer

Recently, at $WORK, I worked on SSH Visibility via eBPF, and it’s great to see these docs updated for the new privsep model, which has split the daemon into separate binaries, rather than forking the same binary.

IMO this model is super elegant while quite simple to follow; and even the Windows SSH fork implements it (using some LSASS trickery with custom SID authorities, iirc).

As a side-note here, make sure any log filtering you have for syslog matching the app name sshd? also includes the sshd?(-(session|auth))? binaries! You may be unknowingly dropping logs after the binary split; you’d be surprised how many vendors have unknowingly started missing logs since this change!