Mailing List Archive: "UsePrivilegeSeparation no" is useful for running sshd without privileges

"UsePrivilegeSeparation no" is useful for running sshd without privileges

Feb 7, 2022, 11:13 AM

Post #1 of 3 (301 views)

Hi OpenSSH developers,

"UsePrivilegeSeparation no" causes sshd to not use setuid when starting
up. This is useful for running sshd without any privileges in the first
place. That is, running sshd as an unprivileged user, rather than as
root.

There are a number of uses for this. In particular, I do this as part
of a test suite, where I run sshd to test some code which uses the SSH
protocol. Requiring root to run my test suite is quite undesirable.

UsePrivilegeSeparation is currently deprecated, and prints a warning
message when used.

I suggest that UsePrivilegeSeparation should be explicitly supported for
running sshd as non-root. Perhaps "UsePrivilegeSeparation no" should
not print a warning message when sshd is running as non-root; or perhaps
there should be a "UsePrivilegeSeparation unprivileged" which causes
sshd to abort if it's running as root. Or perhaps something else
entirely; in any case, I hope UsePrivilegeSeparation is not removed,
since it is useful for this purpose.

Thanks!
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: "UsePrivilegeSeparation no" is useful for running sshd without privileges [ In reply to ]

dtucker at dtucker

Feb 7, 2022, 2:31 PM

Post #2 of 3 (300 views)

Permalink

On Tue, 8 Feb 2022 at 06:16, Spencer Baugh <sbaugh@catern.com> wrote:
> "UsePrivilegeSeparation no" causes sshd to not use setuid when starting
> up. This is useful for running sshd without any privileges in the first
> place. That is, running sshd as an unprivileged user, rather than as
> root.

"UsePrivilegeSeparation yes" (or just omitting it) works as an
unprivileged user. All of our regression tests can (and do) run that
way. At one point it required that the privsep user and directory
exist, although it didn't use them, but that was fixed nearly five
years ago[0].

> I suggest that UsePrivilegeSeparation should be explicitly supported for
> running sshd as non-root.

No, supporting UsePrivilegeSeparation=no, that means there will still
be two different code paths. Running sshd as non-root is supported
with UsePrivilegeSeparation=yes.

[0] https://marc.info/?l=openssh-unix-dev&m=150206569108938&w=2

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: "UsePrivilegeSeparation no" is useful for running sshd without privileges [ In reply to ]

sbaugh at catern

Feb 7, 2022, 4:30 PM

Post #3 of 3 (300 views)

Permalink

Darren Tucker <dtucker@dtucker.net> writes:
> On Tue, 8 Feb 2022 at 06:16, Spencer Baugh <sbaugh@catern.com> wrote:
>> "UsePrivilegeSeparation no" causes sshd to not use setuid when starting
>> up. This is useful for running sshd without any privileges in the first
>> place. That is, running sshd as an unprivileged user, rather than as
>> root.
>
> "UsePrivilegeSeparation yes" (or just omitting it) works as an
> unprivileged user. All of our regression tests can (and do) run that
> way. At one point it required that the privsep user and directory
> exist, although it didn't use them, but that was fixed nearly five
> years ago[0].

Oh, great! Indeed, I just tested it myself, and it works just fine now!
My apologies for the noise, I indeed only tested this before on an old
OpenSSH version.

Nevermind then!
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev