mjhjmtu

I have non-root access to a remote terminal which is provided by the terminal owner via various non-SSH means, such as AnyTerm and OCRSH. Nevertheless I like to run sshd on that box because I want to run X-based applications using X11 forwarding, and AnyTerm/OCRSH don't support X11 forwarding.

This was all fine in OpenSSH <7.5, and I could run sshd as non-root with UsePrivilegeSeparation turned off - see this answer. However, as of OpenSSH 7.5, it seems UsePrivilegeSeparation is no longer available as an option - as someone noted in another answer to the same question.

This means I am essentially stuck without being able to run sshd if I use a version higher than OpenSSH 7.4 (December 2016). The reason of course is that privilege separation requires switching users at the time of login, and sshd won't be able to switch to another user as it's not running as root.

Now I am stuck with a few options and some confusion:

• I could just continue to use OpenSSH 7.4 - seems the security issues fixed in 7.5 and 7.6 are for specific use cases which I don't fall into. But eventually I think it will become necessary to upgrade for one reason or another.


• 
  OpenSSH 7.5 release notes say that UsePrivilegeSeparation is "deprecated". What does that actually mean? Usually, "deprecated" means that it is an option still available, but you will get a deprecation warning if you use it. But the way the docs are worded it makes it seem like the option was removed completely, and all mention of it has also been removed from the sshd_config manpage. Or does this "deprecation" mean you can still enable it via some compile-time option when building OpenSSH from source?


• Is there a way to run sshd in some kind of fakeroot environment where it thinks that it is root, but any attempt to setuid will just silently fail and will stay as the same user?


• Is there some other alternative to SSH I could use here, which would still support X11 forwarding, and is still security-patched past December 2016?