OpenSSH 3.0 is in development snapshots and includes the privilege-separation feature I noted as the most important pending improvement.
What the change does
A traditional sshd runs as a single privileged process per connection. The process is started by root, accepts the network connection, parses the SSH protocol, authenticates the user, and provides the shell.
A bug anywhere in this code path gives the attacker root.
Privilege separation splits this into two processes:
The privileged parent. Runs as root. Performs the operations that genuinely require root.
The unprivileged child. Runs as a dedicated sshd user. Performs the protocol parsing, packet decryption, all the protocol-state work, validation of user-provided data.
The protocol-parsing code, where almost all the historical SSH vulnerabilities have been, now runs unprivileged. A bug there gives the attacker an unprivileged shell, not root.
Why this is the right architecture
The principle is least privilege. The parent has root because some operations need root; the child does not need root and so does not have it.
This is the architectural answer to memory-corruption bugs in network-facing daemons. It does not eliminate the bugs but dramatically reduces the consequences.
The shell-as-sshd access an attacker would gain is much less useful than shell-as-root: no home directory, no login shell, no useful files, no kernel-module installation, cannot read other users' files.
The attacker still has to escalate from sshd to root to do anything serious. The escalation is not impossible but it is a separate exploit. The cumulative defence is meaningful.
Operational experience
I have been running the development snapshot on my home machines for two weeks.
Configuration is straightforward. A new directive UsePrivilegeSeparation yes enables the feature. A sshd user must exist; most distributions are adding this.
Performance is unmeasurably different.
Compatibility is good. Existing client software works without modification.
The new model is stable. No connection failures in two weeks.
What this enables for the broader pattern
The privilege-separation pattern is not unique to SSH. It applies to any daemon that needs root for a small set of operations and runs untrusted-input-handling code for the rest. Natural targets:
- Sendmail, which has the same shape.
- BIND.
- Apache, which already drops to a non-root user but does not separate the protocol parsing from the privileged operations.
I expect the pattern to be adopted across the open-source security ecosystem over the next several years.
For my own infrastructure: I will deploy 3.0 to production once it stabilises. Probably mid-year.