Hi, I have a setup in which I run sshd as unprivileged user at dedicated port to serve specific application. It is working perfectly! One tweak I had to do, since the AuthorizedKeysCommand feature requires file to be owned by root, I had to use root owned command at root owned directory, although it does not add a security value. At auth2-pubkey.c::user_key_command_allowed2(), we have the following: if (auth_secure_path(options.authorized_keys_command, &st, NULL, 0, errmsg, sizeof(errmsg)) != 0) { error("Unsafe AuthorizedKeysCommand: %s", errmsg); goto out; } This enforce root uid explicitly (arg#4). Will it be acceptable to use geteuid() instead of 0, to allow unprivileged process to apply its own? Or add sshd_config option to enable alternate user ownership? Regards, Alon Bar-Lev _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev