unprivileged sshd
unprivileged sshd
Posted Jul 5, 2024 4:46 UTC (Fri) by donald.buczek (subscriber, #112892)In reply to: WireGuard as defense-in-depth by mussell
Parent article: Serious vulnerability fixed with OpenSSH 9.8
> In theory it should be possible to run a SSH daemon without root by having systemd create the session and having it pass back ttys similar to how machinectl shell/run0 works, but I highly doubt the OpenSSH devs would implement something that uses systemd.
Yes, this already works and sshd doesn't need to be aware. For example, we abuse sshd to offer interactive sessions via our cluster scheduler. sshd is running unprivileged, the network socket is already connected externally (so we run it in inetd mode) and keys are created per session and communicated out of band [^1].
[^1] https://github.molgen.mpg.de/mariux64/mxtools/blob/master...