On Fri, Jun 27, 2014 at 10:46 PM, Alon Bar-Lev <alon.barlev@xxxxxxxxx> wrote: > Hi, > > I have a setup in which I run sshd as unprivileged user at dedicated port to > serve specific application. > > It is working perfectly! > > One tweak I had to do, since the AuthorizedKeysCommand feature requires file > to be owned by root, I had to use root owned command at root owned > directory, although it does not add a security value. > > At auth2-pubkey.c::user_key_command_allowed2(), we have the following: > > if (auth_secure_path(options.authorized_keys_command, &st, NULL, 0, > errmsg, sizeof(errmsg)) != 0) { > error("Unsafe AuthorizedKeysCommand: %s", errmsg); > goto out; > } > > This enforce root uid explicitly (arg#4). > > Will it be acceptable to use geteuid() instead of 0, to allow unprivileged > process to apply its own? Or add sshd_config option to enable alternate user > ownership? Actually, I think it is better to have a new sshd_config option as a configuration in which all files are owned by one unprivileged user, and sshd is running as other unprivileged user without being able to modify any of the files, is better security wise if static environment is required while the AuthorizedKeysCommand is used to retrieve authorized keys via rpc. In this mode the sshd_config, AuthorizedKeysCommand, the private key are all owned by one user, readable by the user runs the sshd. One caveat left is that the sshd cannot access /etc/ssh/moduli at some distributions, and there is no way to override the build time SSHDIR, I can solve this as well by using sshd_config parameter if is acceptable. Alon _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev