starting sshd by normal user

chakka.lokesh · 08-07-2009, 01:00 AM

I want the sshd deamon to run with normal user privliges rather than with root.

can anybody please help me how to do this.

I tried by adding the following line in the /etc/sudoers
username ALL=/etc/service ALL

after that I executed the command "/sbin/service sshd start"

it failed because ssh_conf and key files are readable only by root.

I don't know how to use this sudoers file. I gone through the man page but still, somehow, I was not able to understand it.

chrism01 · 08-07-2009, 01:15 AM

If you want sshd to run without being root at all, you'd have to move it to a port num >= 1024.

In any case, the default is for it to drop privileges for each cxn http://74.125.155.132/search?q=cache...naltosend.netA
/+ssh+drop+privileges&cd=7&hl=en&ct=clnk&gl=au

This is similar to Apache for instance.

If you just want to avoid the script kiddies, disallow root from from using ssh.
Setup another user and 'su -' to root from there.

chakka.lokesh · 08-08-2009, 11:22 PM

Quote:

Originally Posted by chrism01

If you just want to avoid the script kiddies, disallow root from from using ssh.
Setup another user and 'su -' to root from there.

I already setted Permitrootlogin no

I want the process itself to run with unpreviliged user as owner instead of root.

chakka.lokesh · 08-08-2009, 11:25 PM

Quote:

Originally Posted by chrism01

If you want sshd to run without being root at all, you'd have to move it to a port num >= 1024.

I want it to run. It doesn't matter on which port it is running.

lazlow · 08-09-2009, 12:51 AM

I guess I am a little confused about why you would want to do it this way. You do understand that you can setup the sshd to run at boot and that any user can then access the machine this way?

chakka.lokesh · 08-10-2009, 09:15 PM

I want only one user to access it.

Also I want to restrict the access only a particular location.

lazlow · 08-10-2009, 10:09 PM

An you can accomplish both those things without running sshd as a user.

Wim Sturkenboom · 08-10-2009, 11:34 PM

In sshd_config

Code:

PermitRootLogin no
AllowUsers wim brian

The first line is a good habit (most attacks are on the root account).
The second line only allows users wim and brian to login using SSH.

Further I would consider 'passwordless login'.

To limit access to certain locations, read up on 'jail users'.

chrism01 · 08-10-2009, 11:47 PM

If you mean 'from' a particular location, lookup tcp wrappers : http://itso.iu.edu/TCP_Wrappers

chakka.lokesh · 08-12-2009, 12:59 AM

Quote:

Originally Posted by Wim Sturkenboom

In sshd_config

Code:

PermitRootLogin no
AllowUsers wim brian

The second line only allows users wim and brian to login using SSH.

Are you sure of this??

karamarisan · 08-12-2009, 02:00 AM

Yes, that's the correct config. But why would you post back and ask when you could just... try it?

Wim Sturkenboom · 08-12-2009, 02:21 AM

Quote:

Originally Posted by chakka.lokesh

Are you sure of this??

Can you read man pages

From man sshd_config

Code:

     AllowUsers
             This keyword can be followed by a list of user name patterns,
             separated by spaces.  If specified, login is allowed only for
             user names that match one of the patterns.  `*' and `?' can be
             used as wildcards in the patterns.  Only user names are valid; a
             numerical user ID is not recognized.  By default, login is
             allowed for all users.  If the pattern takes the form USER@HOST
             then USER and HOST are separately checked, restricting logins to
             particular users from particular hosts.

chakka.lokesh · 08-13-2009, 01:21 AM

Quote:

Originally Posted by karamarisan

Yes, that's the correct config. But why would you post back and ask when you could just... try it?

oops.... I was a bit confused.

It is working correctly now.

Earlier it happened some thing else.
I think I might have did any mistake.

thanks for the help.
I got what I want.

thanks once again.