61

I'm aiming to start up a second sshd instance on a non-privileged port (e.g. 2222) with my own configuration file.

Obviously, the sshd process can't setuid so logging in as users other than the one who is running the sshd daemon is clearly impossible.

However, is it possible to have a working sshd daemon that will work for the currently running user? For my use case, this would be fine.

I tried booting up an sshd instance with my own config file and host key and the sshd process starts up (no complaints about not being root, like some commands), however when I try to connect to that port, the sshd process dies.

$ /usr/sbin/sshd -dD -h .ssh/id_rsa -p 2222 
debug1: sshd version OpenSSH_5.6p1
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: setgroups() failed: Operation not permitted
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-dD'
debug1: rexec_argv[2]='-h'
debug1: rexec_argv[3]='.ssh/id_rsa'
debug1: rexec_argv[4]='-p'
debug1: rexec_argv[5]='2222'
debug1: Bind to port 2222 on 0.0.0.0.
Server listening on 0.0.0.0 port 2222.
debug1: Bind to port 2222 on ::.
Server listening on :: port 2222.
debug1: fd 6 clearing O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 6 out 6 newsock 6 pipe -1 sock 9
debug1: inetd sockets after dupping: 5, 5
Connection from ::1 port 57670
debug1: Client protocol version 2.0; client software version OpenSSH_5.6
debug1: match: OpenSSH_5.6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.6
debug1: list_hostkey_types: 
No supported key exchange algorithms
debug1: do_cleanup
debug1: do_cleanup
debug1: audit_event: unhandled event 12

The debug1: setgroups() failed: Operation not permitted line obviously sticks out, but it doesn't die until it tries to accept a connection.

Bo Jeanes
  • 1,670

8 Answers8

54

Start the process with sshd -f ~/.ssh/sshd_config where ~/.ssh/sshd_config is a new file you created. Among other options (such as a different host key, different port, etc) you need to add the line UsePrivilegeSeparation no. This will prevent the sshd process from trying to do any setuid or setgid calls and allow it to continue running as your user and accept connections as your user.

(This link confirms it is the correct way: http://cygwin.com/ml/cygwin/2008-04/msg00363.html )

Good Pen
  • 103
Bo Jeanes
  • 1,670
18

Here is a userland bash script based on the Bo Jeanes' answer that :

  • Creates a working dir in home
  • Generates server keys in the working dir
  • Generates a basic config file with pid file located in the working dir
  • launches an SSH daemon
mkdir ${HOME}/custom_ssh
ssh-keygen -f ${HOME}/custom_ssh/ssh_host_rsa_key -N '' -t rsa
ssh-keygen -f ${HOME}/custom_ssh/ssh_host_dsa_key -N '' -t dsa

cat << EOF > ${HOME}/custom_ssh/sshd_config
Port 2222
HostKey ${HOME}/custom_ssh/ssh_host_rsa_key
HostKey ${HOME}/custom_ssh/ssh_host_dsa_key
AuthorizedKeysFile  .ssh/authorized_keys
ChallengeResponseAuthentication no
UsePAM yes
Subsystem   sftp    /usr/lib/ssh/sftp-server
PidFile ${HOME}/custom_ssh/sshd.pid
EOF


/usr/bin/sshd -f ${HOME}/custom_ssh/sshd_config
echo "----- Process ID : ${HOME}/custom_ssh/sshd.pid -------"
  • OpenSSH_7.9p1, OpenSSL 1.1.1a 20 Nov 2018
  • pam auth (tested with same local & remote user)
Steve Kehlet
  • 1,135
inattendu
  • 383
15

As an update to this thread, OpenSSH in version 7.5 deprecated the UsePrivilegeSeparation option, making it impossible to disable privilege separation. It appears that running SSHD as a user is now impossible.

See https://www.openssh.com/releasenotes.html

magiclantern
  • 179
4

Assuming what @magiclantern noted above and assuming you don't want to patch sshd will something like Dropbear work for you? It is used in many embedded devices that want an ssh server with smaller footprint (and fewer features/configs).

nhed
  • 629
3

I have checked in detail the possibility of running sshd service as a normal user. Detail of the version of the program:

sshd version OpenSSH_7.4, OpenSSL 1.0.2k

Finally after solving many errors, I reached to a point that SSHD aborted with the following error:

Attempt to write login records by non-root user (aborting)

I checked the source code to see whether it is possible to solve the issue without changing the source code. See the code here. Some part of the code causing abortion of the program:

#ifndef HAVE_CYGWIN
    if (geteuid() != 0) {
        logit("Attempt to write login records by non-root user (aborting)");
        return (1);
    }
#endif

It checks the user privilege by (geteuid() != 0) and here causes the problem.

Mehrdad Nazmdar
  • 31
0

For ubuntu users, the answer above (https://serverfault.com/a/946877/994202) should be :

mkdir ${HOME}/custom_ssh
ssh-keygen -f ${HOME}/custom_ssh/ssh_host_rsa_key -N '' -t rsa
ssh-keygen -f ${HOME}/custom_ssh/ssh_host_dsa_key -N '' -t dsa

cat << EOF > ${HOME}/custom_ssh/sshd_config
Port 6666
HostKey ${HOME}/custom_ssh/ssh_host_rsa_key
HostKey ${HOME}/custom_ssh/ssh_host_dsa_key
PidFile ${HOME}/custom_ssh/sshd.pid
EOF


/usr/sbin/sshd -f ${HOME}/custom_ssh/sshd_config

Then type ssh -p 6666 your_not_root_user_name@your_ip in local shell.

Good Pen
  • 103
0

I tried following the answer above, but ran into permission denied (publickey) errors that I couldn't figure out.

But this gave me the idea of getting more logging by adding

SyslogFacility AUTH
LogLevel DEBUG

to the ${HOME}/custom_ssh/sshd_config file, and running (on the server side) sshd -f ${HOME}/custom_ssh/sshd_config -D -e gave me lots of output that quickly led me to the problem.

I just needed to add the public key to .ssh/authorized_keys, by doing cat ${HOME}/custom_ssh/ssh_host_rsa_key.pub > .ssh/authorized_keys.

TimS
  • 1
  • 1
0

Based on the answers above, this is what I needed and it works for me:

  1. PRIVATE computer, behind firewall, without ssh server. ssh server on started as user with command line parameters, without config file. (In my case it is a Windows PC).

  2. Reverse ssh tunnel to PRIVATE from PUBLIC ssh server. (In my case it is a Linux PC).

  3. ssh and sshfs from PUBLIC server to the started ssh server on PRIVATE computer.

PRIVATE $ ssh-keygen -f .ssh/local-sshd-ed25519 -N '' -t ed25519

PRIVATE $ /usr/bin/sshd -4Def /dev/null -o'ListenAddress 127.0.0.1:2222' 

  -h ~/.ssh/local-sshd-ed25519 

  -o'UsePrivilegeSeparation no' -o'PermitRootLogin no' -o'PasswordAuthentication no' 

  -o'ChallengeResponseAuthentication no' -o'KbdInteractiveAuthentication no' 

  -o'Subsystem sftp /usr/lib/ssh/sftp-server' -o'PrintLastLog no'


test : -o'LogLevel DEBUG3' -o'AuthorizedKeysFile .ssh/id_ed25519.pub'


test $ ssh -p2222 -o'NoHostAuthenticationForLocalhost yes' <PRIVATE-USER>@127.0.0.1


PRIVATE $ ssh -NR 127.0.0.1:2222:127.0.0.1:2222 <PUBLIC-USER>@<PUBLIC-IP>


PUBLIC $ ssh -p2222 <PRIVATE-USER>@127.0.0.1
PUBLIC $ sshfs -p2222 <PRIVATE-USER>@127.0.0.1:/<DIR> ~/<DIR>
mmm
  • 21
  • 1