登录前:
$ps -elf | grep sshd 5 S root 26135 1 0 80 0 - 13115 ? 17:26 ? 00:00:00 /usr/sbin/sshd 0 S test 26480 21337 0 80 0 - 4154 - 18:41 pts/27 00:00:00 grep --colour=auto sshd
登录后:
$ps -elf | grep sshd 5 S root 26135 1 0 80 0 - 13115 ? 17:26 ? 00:00:00 /usr/sbin/sshd 4 S root 26577 26135 0 80 0 - 24204 ? 18:42 ? 00:00:00 sshd: test [priv] 5 S test 26582 26577 0 80 0 - 24204 ? 18:42 ? 00:00:00 sshd: test@pts/30 0 S test 26653 21337 0 80 0 - 4155 - 18:42 pts/27 00:00:00 grep --colour=auto sshd
这两个过程是什么?
4 S root 26577 26135 0 80 0 - 24204 ? 18:42 ? 00:00:00 sshd: test [priv] 5 S test 26582 26577 0 80 0 - 24204 ? 18:42 ? 00:00:00 sshd: test@pts/30
谢谢,
解决方法
权限分离 – 一个保留root权限以执行只有root可以执行的操作的进程,以及另一个执行其他操作的进程.
在询问此问题时,权限分离由sshd_config中的选项控制,sshd_config手册页解释了它的用途.权限分离在version 7.5中成为强制性的,因此该选项及其文档已消失.如果存在任何此类文档,我不知道在哪里可以找到特权分离功能的规范文档.
删除前的手册页项的最后一个版本说:
UsePrivilegeSeparation
Specifies whether sshd(8) separates privileges by creating an
unprivileged child process to deal with incoming network traffic.
After successful authentication,another process will be created
that has the privilege of the authenticated user. The goal of
privilege separation is to prevent privilege escalation by con-
taining any corruption within the unprivileged processes. The
argument must be yes,no,or sandBox. If UsePrivilegeSeparation
is set to sandBox then the pre-authentication unprivileged
process is subject to additional restrictions. The default is
sandBox.
