sshd static credentials

Darren Tucker dtucker at
Sat Jul 11 14:50:35 AEST 2020

On Sat, 11 Jul 2020 at 01:14, shawn wilson < at> wrote:
> Is there a way to have a static user/key (not use PAM)? I'm trying to write
> some bats tests through running ssh remote commands and trying not to alter
> system/user configs to do so.

Yes, as long as sshd doesn't need to do anything requiring root you
can run sshd entirely as a non-privileged user.  This is how the
regression tests work when run without SUDO.

Typically you'd need to:
 - generate new host keys (prefered) or copy existing ones (less
preferred) such that the unprivileged user can read them
 - disable PAM (if sshd is built with it) and set a non-privileged
port in the config.
 - ensure that the unprivileged user can read authorized_keys.  you
might also want to point AuthorizedKeysFile at a distinct place.
 - not attempt to change to a different uid.

Here's the simplest case:
$ ssh-keygen -t rsa -f ssh_host_rsa_key -N ''  # generate host key
$ ssh-keygen -t rsa -f id_rsa -N ''  # generate user key
$ cp authorized_keys
$ /usr/sbin/sshd -f/dev/null -oPort=2222
-ohostkey=`pwd`/ssh_host_rsa_key -o
authorizedkeysfile=`pwd`/authorized_keys -o strictmodes=no
$ ssh -i id_rsa -o identitiesonly=yes -p 2222 localhost echo "it works!"
it works!

... although if I was setting this up for real I'd make the directory
owned by root mode 755 and get it working with strictmodes=yes.

Darren Tucker (dtucker at
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list