Using AuthorizedKeysCommand in unprivileged sshd mode
Alon Bar-Lev
alon.barlev at gmail.com
Sat Jun 28 05:46:30 EST 2014
Hi,
I have a setup in which I run sshd as unprivileged user at dedicated port
to serve specific application.
It is working perfectly!
One tweak I had to do, since the AuthorizedKeysCommand feature requires
file to be owned by root, I had to use root owned command at root owned
directory, although it does not add a security value.
At auth2-pubkey.c::user_key_command_allowed2(), we have the following:
if (auth_secure_path(options.authorized_keys_command, &st, NULL, 0,
errmsg, sizeof(errmsg)) != 0) {
error("Unsafe AuthorizedKeysCommand: %s", errmsg);
goto out;
}
This enforce root uid explicitly (arg#4).
Will it be acceptable to use geteuid() instead of 0, to allow unprivileged
process to apply its own? Or add sshd_config option to enable alternate
user ownership?
Regards,
Alon Bar-Lev
More information about the openssh-unix-dev
mailing list