Starting sshd: Missing privilege separation directory: /var/empty/sshd

The SSHD service while restarting, looks for the “/var/empty/sshd/etc” directory which contains a symlink to the ‘localtime’ file and if not found result in “cannot create symbolic link `/var/empty/sshd/etc’: No such file or directory” error message.
The complete error message looks as follows:

-bash-3.2# service sshd restart
cp: cannot create symbolic link `/var/empty/sshd/etc': No such file or directory
Starting sshd: Missing privilege separation directory: /var/empty/sshd
[FAILED]

The solution is to create the “/var/empty/sshd/etc” directory and then create a symlink for localtime file. SSH to your server and execute:

# mkdir /var/empty/sshd/etc

# cd /var/empty/sshd/etc

# ln -s /etc/localtime localtime

Once done, you should be able to restart the sshd service.

Starting sshd: Privilege separation user does not exist

The error message “Starting sshd: Privilege separation user sshd does not exist FAILED” is received on restarting the SSHD service. It indicates that the user ‘sshd’ does not exist at all. To fix the sshd privileges issue, you need to add the ‘sshd’ user on the server.
Edit the file /etc/passwd and add the below line:
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
and the below line in the /etc/group file

sshd:x:74:

You will now be able to restart the sshd service.

# /etc/init.d/sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]

Another solution is to disable UsePrivilegeSeparation. Edit the sshd configuration file at /etc/ssh/sshd_config and change

UsePrivilegeSeparation yes
to
UsePrivilegeSeparation no

It is less secure but just another option.

How to secure the SSHD service?

SSH service can be secured in various ways like changing the SSH port, changing the ssh protocol,  ssh ListenAddress, disable root login with the PermitRootLogin parameter, allowing ssh access to specific users, restricting SSH access to specific IPs etc. These steps will make sure SSH service on your server is secure.
Edit the SSHD configuration and make the changes listed below:

vi /etc/ssh/sshd_config

1) Set the default SSH port 22 to a higher value, by changing the ‘Port’ directive

Port 2233

2) To make SSH work on a secure protocol, set the ‘Protocol’ directive as

Protocol 2

3) Bind SSHD service to a specific IP of the server, which you can achieve by replacing ‘#ListenAddress’ directive to

ListenAddress xx.xx.xx.xx

where, xx.xx.xx.xx is the additional IP of the server and the only one which will allow you to SSH into the server.
4) To disable root access, set ‘PermitRootLogin’ directive to ‘no’

PermitRootLogin no

Make sure you add an alternate SSH user on the server who have privileges to gain root access before disabling this option.
5) To allow SSH access to specific users, add the “AllowUsers” directive at the end of the configuration

AllowUsers user1 user2

This will allow SSH access to users user1 and user2. You need to allow SSH access to the user who is allowed to gain root access incase root access is disabled.
Save the file and restart the sshd service

service sshd restart

6) Using the TCP wrappers i.e. hosts.allow and hosts.deny, you can restrict SSH access to specific IPs i.e. edit /etc/hosts.allow and add the following

sshd : yourlocalip: allow
sshd : all : deny

“yourlocalip” is the one assigned by your ISP. It will restrict SSH access to your local IP only.