Announce: OpenSSH 7.5 released

Jack Dodds brmdamon at hushmail.com
Fri Mar 24 23:38:29 AEDT 2017 

Hello,

You seem to be saying that in 7.5, sshd can no longer be run
under an ordinary user account. Is that accurate?

I use sshd running under a user account in Debian Jessie to allow
tunnels from remote devices. That capability is crucial to my
application.

Any comments would be appreciated.

Jack Dodds


Corinna Vinschen <vinschen at redhat.com> wrote:
> Hi,
> 
> I got a report on the Cygwin mailing list in terms of
> deprecating the privsep option. It seems one consequence is
> that you can't run sshd under a non-privileged account for
> personal use anymore:
> 
> ----- Forwarded message from Lionel Fourquaux -----
> > * This release deprecates the sshd_config UsePrivilegeSeparation
> >   option, thereby making privilege separation mandatory.
> 
> This has (probably not wholly intended) consequences when
> running sshd in single user (non root) mode:
> 
> $ /usr/sbin/sshd -D -f ~/.ssh/sshd_config
> Privilege separation user sshd does not exist
> 
> The problem is not limited to Cygwin, but is unlikely to happen
> in a typical Unix, since ssh is probably installed globally.
> 
> If Cygwin was installed without administrative privileges,
> creating a dedicated sshd user would be impossible (and makes
> little sense if sshd runs in single user mode, anyway). I guess
> it would be possible to add a fake user account in /etc/passwd.
> 
> Since user sshd and chroot /var/empty are not used in single
> user mode, it might be better to remove the check in this case:
> 
> === cut after ===
> diff --git a/sshd.c b/sshd.c
> index 010a2c3..4f9b2c8 100644
> --- a/sshd.c
> +++ b/sshd.c
> @@ -1641,7 +1641,8 @@ main(int ac, char **av)
> 
> 	/* Store privilege separation user for later use if required. */
> 	if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
> -		if (use_privsep || options.kerberos_authentication)
> +		if ((use_privsep || options.kerberos_authentication)
> +		    && (getuid() == 0 || geteuid() == 0))
> 			fatal("Privilege separation user %s does not exist",
> 			    SSH_PRIVSEP_USER);
> 	} else {
> @@ -1767,7 +1768,7 @@ main(int ac, char **av)
> 		    key_type(key));
> 	}
> 
> -	if (use_privsep) {
> +	if (use_privsep && (getuid() == 0 || geteuid() == 0)) {
> 		struct stat st;
> 
> 		if ((stat(_PATH_PRIVSEP_CHROOT_DIR, &st) == -1) ||
> === cut before ===
> 
> Best regards,
> 
> 		-- Lionel
> ----- End forwarded message -----
> 
> Is there a chance this could be reenabled again?
> 
> 
> Thanks,
> Corinna
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Encryption key for Jack Dodds.asc
Type: application/pgp-keys
Size: 1702 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20170324/2441bf19/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP Digital Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20170324/2441bf19/attachment-0001.bin>

More information about the openssh-unix-dev mailing list