On Apr 12, 2017, at 8:57 AM, Paul Heinlein <[email protected]> wrote: > > On Tue, 11 Apr 2017, Cryptomonkeys.org wrote: > >> Any thoughts on the consequences of arbitrary users being able to >> run their own sshd on port numbers >1024? Would that mean that if >> somebody got access to your machine, they could replace the >> listening sshd with their own? > > I've never run sshd without root privileges, so I'm speculating here, > but that sshd would > > * need its own keys; the system keys should be locked down > > * be unable to authenticate user passwords, since PAM requires > root-level privileges > > * would be unable to switch user IDs. > > But it's an interesting idea; I just don't have time to experiment > right now. > I imagine that one could chroot sshd in $HOME or /tmp, create the necessary directory structure and files, and run sshd on any port >1024. I believe this is part of the rationale for running trustworthy services on ports <1024, because the service must be run as root.
Anyway, not telling anybody how to do things, just wondering outloud about how things might work. -- Louis Kowolowski [email protected] Cryptomonkeys: http://www.cryptomonkeys.com/ <http://www.cryptomonkeys.com/> _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
