multiuser sshd as non-root
Adam Endrodi
endrodi at nokia.com
Mon Aug 5 20:16:03 AEST 2019
Dear knowledgeable people,
I'm running sshd 6.6.1p1 on RHEL 7.1. I've got a security requirement
to run it as an ordinary user, let's say test-x, instead of root.
It works well if I try to log in as test-x user with public key auth.
Unfortunately I need sshd to serve other users as well. In order to
let sshd switch uids I've set the CAP_SETUID and CAP_SETGID capabilities
on the sshd binary. But it didn't work out, when I try to log in as
another user, say test-y, sshd says:
Failed to set uids to 1009.
Disabling privsep didn't help. From strace I didn't even see any attempt
to setuid() to test-y, so I think (but haven't verified) that when running
as non-root, sshd doesn't even try to change uids.
My question is, do you think such a use case (running multiuser sshd as
non-root) is possible theoretically, or can it be implemented with a
small patch?
(Let's not discuss whether the use case makes sense, the requirement for
me is a given.)
--
How I need a drink, alcoholic in nature, after the tough chapters
involving quantum mechanics!
More information about the openssh-unix-dev
mailing list