Using AuthorizedKeysCommand in unprivileged sshd mode

[Alon Bar-Lev]

On Fri, Jun 27, 2014 at 10:46 PM, Alon Bar-Lev <alon.barlev at gmail.com> wrote:
> Hi,
>
> I have a setup in which I run sshd as unprivileged user at dedicated port to
> serve specific application.
>
> It is working perfectly!
>
> One tweak I had to do, since the AuthorizedKeysCommand feature requires file
> to be owned by root, I had to use root owned command at root owned
> directory, although it does not add a security value.
>
> At auth2-pubkey.c::user_key_command_allowed2(), we have the following:
>
>         if (auth_secure_path(options.authorized_keys_command, &st, NULL, 0,
>             errmsg, sizeof(errmsg)) != 0) {
>                 error("Unsafe AuthorizedKeysCommand: %s", errmsg);
>                 goto out;
>         }
>
> This enforce root uid explicitly (arg#4).
>
> Will it be acceptable to use geteuid() instead of 0, to allow unprivileged
> process to apply its own? Or add sshd_config option to enable alternate user
> ownership?

Actually, I think it is better to have a new sshd_config option as a
configuration in which all files are owned by one unprivileged user,
and sshd is running as other unprivileged user without being able to
modify any of the files, is better security wise if static environment
is required while the AuthorizedKeysCommand is used to retrieve
authorized keys via rpc. In this mode the sshd_config,
AuthorizedKeysCommand, the private key are all owned by one user,
readable by the user runs the sshd.

One caveat left is that the sshd cannot access /etc/ssh/moduli at some
distributions, and there is no way to override the build time SSHDIR,
I can solve this as well by using sshd_config parameter if is
acceptable.

Alon