multiuser sshd as non-root

Adam Endrodi endrodi at
Mon Aug 5 20:16:03 AEST 2019

Dear knowledgeable people,

I'm running sshd 6.6.1p1 on RHEL 7.1.  I've got a security requirement
to run it as an ordinary user, let's say test-x, instead of root.
It works well if I try to log in as test-x user with public key auth.

Unfortunately I need sshd to serve other users as well.  In order to
let sshd switch uids I've set the CAP_SETUID and CAP_SETGID capabilities
on the sshd binary.  But it didn't work out, when I try to log in as
another user, say test-y, sshd says:

Failed to set uids to 1009.

Disabling privsep didn't help.  From strace I didn't even see any attempt
to setuid() to test-y, so I think (but haven't verified) that when running
as non-root, sshd doesn't even try to change uids.

My question is, do you think such a use case (running multiuser sshd as
non-root) is possible theoretically, or can it be implemented with a
small patch?

(Let's not discuss whether the use case makes sense, the requirement for
 me is a given.)

How I need a drink, alcoholic in nature, after the tough chapters
involving quantum mechanics!

More information about the openssh-unix-dev mailing list