Mailing List Archive

sshd static credentials
Is there a way to have a static user/key (not use PAM)? I'm trying to write
some bats tests through running ssh remot commands and trying not to alter
system/user configs to do so.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: sshd static credentials [ In reply to ]
On Sat, 11 Jul 2020 at 01:14, shawn wilson <ag4ve.us@gmail.com> wrote:
> Is there a way to have a static user/key (not use PAM)? I'm trying to write
> some bats tests through running ssh remote commands and trying not to alter
> system/user configs to do so.

Yes, as long as sshd doesn't need to do anything requiring root you
can run sshd entirely as a non-privileged user. This is how the
regression tests work when run without SUDO.

Typically you'd need to:
- generate new host keys (prefered) or copy existing ones (less
preferred) such that the unprivileged user can read them
- disable PAM (if sshd is built with it) and set a non-privileged
port in the config.
- ensure that the unprivileged user can read authorized_keys. you
might also want to point AuthorizedKeysFile at a distinct place.
- not attempt to change to a different uid.

Here's the simplest case:
$ ssh-keygen -t rsa -f ssh_host_rsa_key -N '' # generate host key
$ ssh-keygen -t rsa -f id_rsa -N '' # generate user key
$ cp id_rsa.pub authorized_keys
$ /usr/sbin/sshd -f/dev/null -oPort=2222
-ohostkey=`pwd`/ssh_host_rsa_key -o
authorizedkeysfile=`pwd`/authorized_keys -o strictmodes=no
$ ssh -i id_rsa -o identitiesonly=yes -p 2222 localhost echo "it works!"
it works!

... although if I was setting this up for real I'd make the directory
owned by root mode 755 and get it working with strictmodes=yes.

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev