UsePrivilegeSeparation=yes/sandbox and sshd

  • Hi All,

    Just wondering if/why UsePrivilegeSeparation=no is set? versus =yes?

    Could we not have the sshd user? e.g. "sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin"

    My reasoning is to get rid of the error "ex protocol error: type 7 seq ######" when scp'ing to the libreelec.

    Also I guess if ssh is updated from 7.3 in LibreElec 8.2 to openssh7.6 in 9.0 - then we will need to update UsePrivilegeSeparation=sandbox

    Thanks

    • Official Post

    UsePrivilegeSeparation=yes makes sense in a conventional distro where you have multiple users and it is desirable to limit the code that runs with root privileges. In LE everything already runs as root, so setting it achieves nothing.

    If you want to experiment you set additional boot time args in /storage/.cache/services/sshd.conf, e.g. include an option to use an alternate config file /etc/sshd_config .. from fuzzy memory it's "-F /path/to/file" ??