sshd as non-root

Damien Miller djm at mindrot.org
Sun Sep 28 16:41:49 EST 2003


On Sun, 2003-09-28 at 12:32, Ben Lindstrom wrote:
> On Sat, 27 Sep 2003, Stephen Samuel wrote:

> > Now I've run into the fact that the system attempts to do PAM
> > authentication, even though you're root.  Are there any other
> > problems I'm likely to run into?  Has this already been fixed
> > somewhere?
> >
> 
> The solution is NOT to use pam.

Correct, don't add a UsePAM=yes to the config (assuming you are using
3.7.1p2). On some other platforms, non-root may break platform native
authentication systems. Darren, can you comment on AIX?

> Plus it is not going to be universally possible to support sshd as
> non-root since some systems require root for assigning TTYs.

I think that all platforms supported by portable OpenSSH require root
for TTY assignment. I believe that some platforms can get away with
non-root, but with a sgid helper but we haven't followed that up.

> Depending on the changes we may consider them, but honestly =) don't keep
> your hopes up about integration.

Apart from PAM and TTY allocation, I'd be interested in hearing bug
reports. A non-root sshd is very useful for things like anonymous cvs
and sftp servers and I'd like to ensure it works on as many platforms as
possible. IIRC the regress tests can be run as non-root too (which
necessarily include sshd tests).

-d





More information about the openssh-unix-dev mailing list