BTW,
1. UsePrivilegeSeparation default sshd_config and manual not sync in current.
2. why ``yes''? but not 'yes' or "yes" in manual.
# less /etc/ssh/sshd_config | grep UseP
UsePrivilegeSeparation sandbox # Default for new installations.
# man sshd_config
Says The default is ``yes''
UsePrivilegeSeparation
Specifies whether sshd(8) separates privileges by creating an
unprivileged child process to deal with incoming network traffic.
After successful authentication, another process will be created
that has the privilege of the authenticated user. The goal of
privilege separation is to prevent privilege escalation by
containing any corruption within the unprivileged processes. The
default is ``yes''. If UsePrivilegeSeparation is set to
``sandbox'' then the pre-authentication unprivileged process is
subject to additional restrictions.
