[PLUG] Public SSH server configs
Cryptomonkeys.org
louisk at cryptomonkeys.org
Wed Apr 12 18:11:02 UTC 2017
On Apr 12, 2017, at 8:57 AM, Paul Heinlein <heinlein at madboa.com> wrote:
>
> On Tue, 11 Apr 2017, Cryptomonkeys.org wrote:
>
>> Any thoughts on the consequences of arbitrary users being able to
>> run their own sshd on port numbers >1024? Would that mean that if
>> somebody got access to your machine, they could replace the
>> listening sshd with their own?
>
> I've never run sshd without root privileges, so I'm speculating here,
> but that sshd would
>
> * need its own keys; the system keys should be locked down
>
> * be unable to authenticate user passwords, since PAM requires
> root-level privileges
>
> * would be unable to switch user IDs.
>
> But it's an interesting idea; I just don't have time to experiment
> right now.
>
I imagine that one could chroot sshd in $HOME or /tmp, create the necessary directory structure and files, and run sshd on any port >1024.
I believe this is part of the rationale for running trustworthy services on ports <1024, because the service must be run as root.
Anyway, not telling anybody how to do things, just wondering outloud about how things might work.
--
Louis Kowolowski louisk at cryptomonkeys.com
Cryptomonkeys: http://www.cryptomonkeys.com/ <http://www.cryptomonkeys.com/>
More information about the PLUG
mailing list