RE: Who to run sshd as



Personally I use the privilege separation with SSHD so it can start and
bind to port 22, but when ever someone logs in a child process starts
with no privileges, it has a home directory of /var/empty and the shell
on my Solaris and HPUX boxes is /usr/bin/false and on Linux it's
/sbin/nologin. The user gets a child under their name only, so no more
privileges than you allow that user. This capability has been part of
OpenSSH for quite a while now, I know at least to the early 3.x
versions.

Randy

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of James Stickland
Sent: Friday, October 27, 2006 8:44 PM
To: secureshell@xxxxxxxxxxxxxxxxx
Subject: Who to run sshd as

Hello, im running openssh 4.4p1 for Linux

I setuid the sshd binary to execute as a normal user "joe"
but that user does not have permission to bind the socket.



How can i have my sshd run as non-root, yet still bind the socket?








Relevant Pages

  • Re: Sol10: Running Bind through SMF as root. Really as safe as told?
    ... privileges for non-priv aware applications using the old rc.d model. ... Should bind be compromised by whatever means and thus allowing ... > Starting as root and removing privs can be done without too much ...
    (comp.unix.solaris)
  • Re: Ports 0-1023?
    ... uid 80 can bind to tcp port 80. ... things root can :-) Don't think of it as giving privileges, ...
    (Vuln-Dev)
  • Ensuring remote ssh process has terminated
    ... The child process spawned by the sshd does not get killed when the sshd ... terminates and the process has been adopted by init. ... If I force tty allocation with '-t', ...
    (SSH)
  • OpenSSH, PAM and kerberos
    ... bug in OpenSSH: currently sshd do pam_authenticateand ... pam_acct_mgmtfrom child process, but pam_setcredfrom paren ...
    (FreeBSD-Security)
  • Re: SSHD failing on restart
    ... |> Why is it failing to bind to the IP address on startup? ... | Someone else is already using port 22. ... This can also happen if sshd tries to start before the address is ...
    (Fedora)