sshd static credentials
Darren Tucker
dtucker at dtucker.net
Sat Jul 11 14:50:35 AEST 2020
On Sat, 11 Jul 2020 at 01:14, shawn wilson <ag4ve.us at gmail.com> wrote:
> Is there a way to have a static user/key (not use PAM)? I'm trying to write
> some bats tests through running ssh remote commands and trying not to alter
> system/user configs to do so.
Yes, as long as sshd doesn't need to do anything requiring root you
can run sshd entirely as a non-privileged user. This is how the
regression tests work when run without SUDO.
Typically you'd need to:
- generate new host keys (prefered) or copy existing ones (less
preferred) such that the unprivileged user can read them
- disable PAM (if sshd is built with it) and set a non-privileged
port in the config.
- ensure that the unprivileged user can read authorized_keys. you
might also want to point AuthorizedKeysFile at a distinct place.
- not attempt to change to a different uid.
Here's the simplest case:
$ ssh-keygen -t rsa -f ssh_host_rsa_key -N '' # generate host key
$ ssh-keygen -t rsa -f id_rsa -N '' # generate user key
$ cp id_rsa.pub authorized_keys
$ /usr/sbin/sshd -f/dev/null -oPort=2222
-ohostkey=`pwd`/ssh_host_rsa_key -o
authorizedkeysfile=`pwd`/authorized_keys -o strictmodes=no
$ ssh -i id_rsa -o identitiesonly=yes -p 2222 localhost echo "it works!"
it works!
... although if I was setting this up for real I'd make the directory
owned by root mode 755 and get it working with strictmodes=yes.
--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list