Personally I use the privilege separation with SSHD so it can start and bind to port 22, but when ever someone logs in a child process starts with no privileges, it has a home directory of /var/empty and the shell on my Solaris and HPUX boxes is /usr/bin/false and on Linux it's /sbin/nologin. The user gets a child under their name only, so no more privileges than you allow that user. This capability has been part of OpenSSH for quite a while now, I know at least to the early 3.x versions.
Randy > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of James Stickland > Sent: Friday, October 27, 2006 8:44 PM > To: [email protected] > Subject: Who to run sshd as > > Hello, im running openssh 4.4p1 for Linux > > I setuid the sshd binary to execute as a normal user "joe" > but that user does not have permission to bind the socket. > > > > How can i have my sshd run as non-root, yet still bind the socket? > > > > >
