Re: Running Sshd as non-root

[Chris Ess <azarin () tokimi net>]

> I was trying to make my sshd more secure by running it on non-root user.
> Can anyone help me out with it? Has anyone done that before?
>
> I tried putting sudo for "service" command, and even "chown user:
> /etc/init.d/sshd" but it is not doing it.

Well, here's a handful of questions and points.  I do not claim that
everything is correct, but I hope to be as correct as I can within the
bounds of my knowledge.

First off, you should really look at privilege separation under OpenSSH
3.4 and later.  sshd will run as root until the user authenticates, at
which point the sshd child will be setuid(2) the authenticated user.  For
instance, on my home machine, see:

root       998  0.0  0.2  2700  832 ?        S    Aug08   0:03 /usr/local/sbin/sshd
root     16477  0.0  0.2  6152  848 ?        S    Aug09   0:00 sshd: azarin [priv]
azarin   16479  0.0  0.3  6168 1100 ?        S    Aug09   0:12 sshd: azarin@pts/15

In this case, the main sshd daemon, pid 998, is listening on 22/tcp.  I
logged in and the sshd all of my processes see in this session is under
pid 16479.

If you do not trust the portion of sshd running as root then here are some
things you are going to run into:

* sshd cannot bind to port 22/tcp or any other port 1024 or below.  Due to
limitations in kernels, only a user with uid 0 (i.e. 'root') can bind to a
port numbered 1024 or below.  To the best of my knowledge, apache and
BIND's named (if you use the -u flag) accomplish binding to a privileged
port by binding as the port then spawning a child that is setuid(2)'d to
the appropriate user.  sshd, however, does not do this.

* If you use shadowed passwords, then this will not work.  Period.
/etc/shadow on most systems is chmod 600 and owned by root.  (Any other
combination of ownership and permissions is broken.)  I do not know if
using PAM will remove this requirement, but I do not think so.  Also,
other password authentication mechanisms may also fail.

If you are set on running sshd as a non uid 0 user (i.e. not root), then
you will have to bind it to a port above 1024/tcp.  Also, since password
authentication may not work, the use of key-based authentication is your
best bet for gaining access.  Lastly, this sshd will *only* allow login by
the user running it.  It will not allow authentication for another user
since you cannot setuid(2) to that user.


Personally, I suggest using a version of OpenSSH that supports privilege
separation.  In a controlled environment, requiring key-based
authentication is a good idea.  However, if everyone who will SSH to this
machine is not very technically savvy and have a habit of accessing from
multiple computers, a requirement on key-based authentication may be too
much of a hassle.

Anyway, I hope this helps.

Sincerely,


Chris Ess
System Administrator / CDTT (Certified Duct Tape Technician)

---------------------------------------------------------------------------
----------------------------------------------------------------------------