Re: [PLUG] sshd as regular user

brent timothy saner via plug <plug@lists.phillylinux.org> · Wed, 17 Jun 2020 11:18:01 -0400

On 6/17/20 10:28, brent saner wrote:
> UsePrivilegeSeparation was removed as a directive in later releases (7.5
> onwards) and is now enabled in-code. So yes, "no-worky", as it requires
> root permissions.
> 
> https://www.openssh.com/txt/release-7.5
> 

I actually managed to get this working in 8.3 (7.6 introduced a
bugfix[0]). However, the caveats are:

- it requires a configuration with some basic security features disabled
- it requires pubkey auth (because it can't read /etc/shadow if run by
non-root) or UsePAM yes
-- both of which will still only let you auth as the user it's running,
it seems
- you will need to run on a non-privileged port unless further
capabilities are granted
- you will need to generate hostkeys (or use your existing system's
ones, but don't do that)
- PermitRootLogin must be set to no (i mean; it'll start fine if it's
yes or without-password etc., but you won't be able to auth as root so
there's no point)
- ALL files (sshd_config, hostkeys, authorized keys) must be owned as
the user sshd is running as

etc.

working sshd_config (commented lines stripped):

##############################################
Port 2022
HostKey /var/tmp/ssh/ssh_host_ed25519_key
StrictModes no
AuthorizedKeysFile	/var/tmp/ssh/authkeys
UsePAM yes
PidFile /var/run/sshdtest.pid
##############################################

Earlier versions (7.5p1 to <8.3p1) not tested. I suspect it should work
7.6p1 onwards, but if you're using a non-rolling-release distro and they
happen to be using the 7.5 branch (e.g. CentOS 7.x), you're SOL.

[0] https://www.openssh.com/txt/release-7.6
 * sshd(8): when started without root privileges, don't require the
   privilege separation user or path to exist. Makes running the
   regression tests easier without touching the filesystem.