On Wed, Apr 17, 2013 at 03:55:25PM +0800, f5b wrote:
> BTW,
> 1. UsePrivilegeSeparation default sshd_config and manual not sync in current.
> 2. why ``yes''? but not 'yes' or "yes" in manual.
>
> # less /etc/ssh/sshd_config | grep UseP
> UsePrivilegeSeparation sandbox # Default for new installations.
>
> # man sshd_config
> Says The default is ``yes''
Actually both are correct, although maybe it's not clear why. The default
setting in sshd (ie, what is in effect if you don't set it in the config
file) is "yes":
$ sudo /usr/sbin/sshd -T -f /dev/null | grep useprivilegeseparation
useprivilegeseparation yes
The value set in the config file from a new install, however, is indeed
"sandbox". We do this for some settings where there's significant
risk of breakage and we don't want to change behaviour of existing
installations, at least in the short term. This allows some time for
any problems to get shaken out, particularly in older/upgraded systems
that may be significantly different from a new install.
The other recent example of this was disabling the ssh1 protocol, where it
was disabled in new installations for about 2.5 years before the default
compiled into sshd was changed.
I would expect the compiled in default for UsePrivilegeSeparation to
change at some point down the track, at which point it will be commented
out in sshd_config again.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
