Rich Freeman via plug on 17 Jun 2020 13:29:19 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] sshd as regular user


On Wed, Jun 17, 2020 at 11:18 AM brent timothy saner via plug
<plug@lists.phillylinux.org> wrote:
>
> I actually managed to get this working in 8.3 (7.6 introduced a
> bugfix[0]). However, the caveats are:
>
> - it requires a configuration with some basic security features disabled

How many of those features are relevant given that it isn't running as
root in the first place?  sshd is security-sensitive because it is a
daemon that must run as root to login as any user, and it listens on a
publicly-accessible port.

When you don't run it as root you're already cutting off a ton of
attacks.  Granted, an exploit could still put at risk anything
accessible by the user it is running as.

I'm sure there are some pros and cons to both approaches.

> - it requires pubkey auth (because it can't read /etc/shadow if run by
> non-root) or UsePAM yes
> -- both of which will still only let you auth as the user it's running,
> it seems
> - you will need to run on a non-privileged port unless further
> capabilities are granted
> - you will need to generate hostkeys (or use your existing system's
> ones, but don't do that)
> - PermitRootLogin must be set to no (i mean; it'll start fine if it's
> yes or without-password etc., but you won't be able to auth as root so
> there's no point)
> - ALL files (sshd_config, hostkeys, authorized keys) must be owned as
> the user sshd is running as

Well, sure, that seems obvious.  The reason stuff like sshd, su, suid,
getty, and so on have to run as root is that they need to be able to
chuid to any user on the system if authentication is successful.  If
you don't run it as root then it is just a regular userspace program
that can never leave the confines of the user it is running as.

-- 
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug