Mailing List Archive

non-root SSHD
Does OpenSSH allow unprivileged SSH daemon? I experimented with privilege separation but it requires one process running with elevated privileges and another process that could then run with user privileges. However, I could not find a way for a single daemon running unprivileged, so I am reaching out to the community hoping for some guidance.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: non-root SSHD [ In reply to ]
On Wed, 11 Sep 2019 at 21:51, Parag Chinchole <pchinchole@live.com> wrote:
> Does OpenSSH allow unprivileged SSH daemon?

Yes, with some caveats. When we run the regression tests (ie "make
tests) without sudo, these run entirely without privilege.

The caveats I can think of are:
- on most platforms password authentication requires privileges to
read the password file or invoke PAM to do so. The tests use only key
authentication.
- binding to low port numbers requires privileges on many platforms.
- on some platforms allocationg a psudeoterminal requires privileges.

As I said last time this came up
(https://marc.info/?l=openssh-unix-dev&m=150206569108938&w=2) the
two-process (privsep) use case with an unprivileged user should be a
supported configuration.

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev