I'm aiming to start up a second sshd
instance on a non-privileged port (e.g. 2222) with my own configuration file.
Obviously, the sshd
process can't setuid
so logging in as users other than the one who is running the sshd
daemon is clearly impossible.
However, is it possible to have a working sshd
daemon that will work for the currently running user? For my use case, this would be fine.
I tried booting up an sshd
instance with my own config file and host key and the sshd
process starts up (no complaints about not being root, like some commands), however when I try to connect to that port, the sshd
process dies.
$ /usr/sbin/sshd -dD -h .ssh/id_rsa -p 2222
debug1: sshd version OpenSSH_5.6p1
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: setgroups() failed: Operation not permitted
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-dD'
debug1: rexec_argv[2]='-h'
debug1: rexec_argv[3]='.ssh/id_rsa'
debug1: rexec_argv[4]='-p'
debug1: rexec_argv[5]='2222'
debug1: Bind to port 2222 on 0.0.0.0.
Server listening on 0.0.0.0 port 2222.
debug1: Bind to port 2222 on ::.
Server listening on :: port 2222.
debug1: fd 6 clearing O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 6 out 6 newsock 6 pipe -1 sock 9
debug1: inetd sockets after dupping: 5, 5
Connection from ::1 port 57670
debug1: Client protocol version 2.0; client software version OpenSSH_5.6
debug1: match: OpenSSH_5.6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.6
debug1: list_hostkey_types:
No supported key exchange algorithms
debug1: do_cleanup
debug1: do_cleanup
debug1: audit_event: unhandled event 12
The debug1: setgroups() failed: Operation not permitted
line obviously sticks out, but it doesn't die until it tries to accept a connection.
After a bit of digging around I figured it out.
Start the process with
sshd -f ~/.ssh/sshd_config
where/.ssh/sshd_config
is a new file you created. Among other options (such as a different host key, different port, etc) you need to add the lineUsePrivilegeSeparation no
. This will prevent thesshd
process from trying to do anysetuid
orsetgid
calls and allow it to continue running as your user and accept connections as your user.EDIT: A few moments after figuring it out somebody else tweeted this link to me which confirms this is the correct way to do this: http://cygwin.com/ml/cygwin/2008-04/msg00363.html
As an update to this thread, OpenSSH in version 7.5 deprecated the UsePrivilegeSeparation option, making it impossible to disable privilege separation. It appears that running SSHD as a user is now impossible.
See https://www.openssh.com/releasenotes.html
Here is a userland bash script based on the Bo Jeanes' answer that :
Assuming what @magiclantern noted above and assuming you don't want to patch
sshd
will something like Dropbear work for you? It is used in many embedded devices that want an ssh server with smaller footprint (and fewer features/configs).I have checked in detail the possibility of running sshd service as a normal user. Detail of the version of the program:
Finally after solving many errors, I reached to a point that SSHD aborted with the following error:
I checked the source code to see whether it is possible to solve the issue without changing the source code. See the code here. Some part of the code causing abortion of the program:
It checks the user privilege by
(geteuid() != 0)
and here causes the problem.