SSH_PRIVSEP_USER configurable at runtime?

Peter Stuge peter at
Wed Apr 2 22:37:43 EST 2014

Corinna Vinschen wrote:
> On non-domain machines the account
> name will be "sshd", not "${machine}+sshd".  Except if the admin
> specifies that the domain is always prepended, which makes it
> "${machine}+sshd" again.  And if the admin specifies the separator char
> to be not '+' but, for instance '#', the account name will be
> "${machine}#sshd".
> All that knowledge would have to go into sshd.c.

FWIW I think this is the right solution.

> Isn't it much easier and less convoluted to allow specifying the
> account name in sshd_config?

But less right, if only because if the admin changes those settings
then they need to go touch config files for no real reason.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: not available
URL: <>

More information about the openssh-unix-dev mailing list