How can I run a non-root remote server with X11 forwarding, post OpenSSH 7.5?
Clash Royale CLAN TAG#URR8PPP
up vote
1
down vote
favorite
I have non-root access to a remote terminal which is provided by the terminal owner via various non-SSH means, such as AnyTerm and OCRSH. Nevertheless I like to run sshd
on that box because I want to run X-based applications using X11 forwarding, and AnyTerm/OCRSH don't support X11 forwarding.
This was all fine in OpenSSH <7.5, and I could run sshd
as non-root with UsePrivilegeSeparation
turned off - see this answer. However, as of OpenSSH 7.5, it seems UsePrivilegeSeparation
is no longer available as an option - as someone noted in another answer to the same question.
This means I am essentially stuck without being able to run sshd
if I use a version higher than OpenSSH 7.4 (December 2016). The reason of course is that privilege separation requires switching users at the time of login, and sshd
won't be able to switch to another user as it's not running as root.
Now I am stuck with a few options and some confusion:
- I could just continue to use OpenSSH 7.4 - seems the security issues fixed in 7.5 and 7.6 are for specific use cases which I don't fall into. But eventually I think it will become necessary to upgrade for one reason or another.
OpenSSH 7.5 release notes say thatUsePrivilegeSeparation
is "deprecated". What does that actually mean? Usually, "deprecated" means that it is an option still available, but you will get a deprecation warning if you use it. But the way the docs are worded it makes it seem like the option was removed completely, and all mention of it has also been removed from thesshd_config
manpage. Or does this "deprecation" mean you can still enable it via some compile-time option when building OpenSSH from source?- Is there a way to run
sshd
in some kind offakeroot
environment where it thinks that it is root, but any attempt tosetuid
will just silently fail and will stay as the same user? - Is there some other alternative to SSH I could use here, which would still support X11 forwarding, and is still security-patched past December 2016?
ssh openssh
add a comment |Â
up vote
1
down vote
favorite
I have non-root access to a remote terminal which is provided by the terminal owner via various non-SSH means, such as AnyTerm and OCRSH. Nevertheless I like to run sshd
on that box because I want to run X-based applications using X11 forwarding, and AnyTerm/OCRSH don't support X11 forwarding.
This was all fine in OpenSSH <7.5, and I could run sshd
as non-root with UsePrivilegeSeparation
turned off - see this answer. However, as of OpenSSH 7.5, it seems UsePrivilegeSeparation
is no longer available as an option - as someone noted in another answer to the same question.
This means I am essentially stuck without being able to run sshd
if I use a version higher than OpenSSH 7.4 (December 2016). The reason of course is that privilege separation requires switching users at the time of login, and sshd
won't be able to switch to another user as it's not running as root.
Now I am stuck with a few options and some confusion:
- I could just continue to use OpenSSH 7.4 - seems the security issues fixed in 7.5 and 7.6 are for specific use cases which I don't fall into. But eventually I think it will become necessary to upgrade for one reason or another.
OpenSSH 7.5 release notes say thatUsePrivilegeSeparation
is "deprecated". What does that actually mean? Usually, "deprecated" means that it is an option still available, but you will get a deprecation warning if you use it. But the way the docs are worded it makes it seem like the option was removed completely, and all mention of it has also been removed from thesshd_config
manpage. Or does this "deprecation" mean you can still enable it via some compile-time option when building OpenSSH from source?- Is there a way to run
sshd
in some kind offakeroot
environment where it thinks that it is root, but any attempt tosetuid
will just silently fail and will stay as the same user? - Is there some other alternative to SSH I could use here, which would still support X11 forwarding, and is still security-patched past December 2016?
ssh openssh
You can do X11 forwarding directly over tcp without any ssh connection. Justexport DISPLAY=<yourip>:0
(you can use stunnel to encrypt the connection)
â Ipor Sircer
Jan 23 at 18:47
add a comment |Â
up vote
1
down vote
favorite
up vote
1
down vote
favorite
I have non-root access to a remote terminal which is provided by the terminal owner via various non-SSH means, such as AnyTerm and OCRSH. Nevertheless I like to run sshd
on that box because I want to run X-based applications using X11 forwarding, and AnyTerm/OCRSH don't support X11 forwarding.
This was all fine in OpenSSH <7.5, and I could run sshd
as non-root with UsePrivilegeSeparation
turned off - see this answer. However, as of OpenSSH 7.5, it seems UsePrivilegeSeparation
is no longer available as an option - as someone noted in another answer to the same question.
This means I am essentially stuck without being able to run sshd
if I use a version higher than OpenSSH 7.4 (December 2016). The reason of course is that privilege separation requires switching users at the time of login, and sshd
won't be able to switch to another user as it's not running as root.
Now I am stuck with a few options and some confusion:
- I could just continue to use OpenSSH 7.4 - seems the security issues fixed in 7.5 and 7.6 are for specific use cases which I don't fall into. But eventually I think it will become necessary to upgrade for one reason or another.
OpenSSH 7.5 release notes say thatUsePrivilegeSeparation
is "deprecated". What does that actually mean? Usually, "deprecated" means that it is an option still available, but you will get a deprecation warning if you use it. But the way the docs are worded it makes it seem like the option was removed completely, and all mention of it has also been removed from thesshd_config
manpage. Or does this "deprecation" mean you can still enable it via some compile-time option when building OpenSSH from source?- Is there a way to run
sshd
in some kind offakeroot
environment where it thinks that it is root, but any attempt tosetuid
will just silently fail and will stay as the same user? - Is there some other alternative to SSH I could use here, which would still support X11 forwarding, and is still security-patched past December 2016?
ssh openssh
I have non-root access to a remote terminal which is provided by the terminal owner via various non-SSH means, such as AnyTerm and OCRSH. Nevertheless I like to run sshd
on that box because I want to run X-based applications using X11 forwarding, and AnyTerm/OCRSH don't support X11 forwarding.
This was all fine in OpenSSH <7.5, and I could run sshd
as non-root with UsePrivilegeSeparation
turned off - see this answer. However, as of OpenSSH 7.5, it seems UsePrivilegeSeparation
is no longer available as an option - as someone noted in another answer to the same question.
This means I am essentially stuck without being able to run sshd
if I use a version higher than OpenSSH 7.4 (December 2016). The reason of course is that privilege separation requires switching users at the time of login, and sshd
won't be able to switch to another user as it's not running as root.
Now I am stuck with a few options and some confusion:
- I could just continue to use OpenSSH 7.4 - seems the security issues fixed in 7.5 and 7.6 are for specific use cases which I don't fall into. But eventually I think it will become necessary to upgrade for one reason or another.
OpenSSH 7.5 release notes say thatUsePrivilegeSeparation
is "deprecated". What does that actually mean? Usually, "deprecated" means that it is an option still available, but you will get a deprecation warning if you use it. But the way the docs are worded it makes it seem like the option was removed completely, and all mention of it has also been removed from thesshd_config
manpage. Or does this "deprecation" mean you can still enable it via some compile-time option when building OpenSSH from source?- Is there a way to run
sshd
in some kind offakeroot
environment where it thinks that it is root, but any attempt tosetuid
will just silently fail and will stay as the same user? - Is there some other alternative to SSH I could use here, which would still support X11 forwarding, and is still security-patched past December 2016?
ssh openssh
asked Jan 23 at 18:19
Kidburla
5551212
5551212
You can do X11 forwarding directly over tcp without any ssh connection. Justexport DISPLAY=<yourip>:0
(you can use stunnel to encrypt the connection)
â Ipor Sircer
Jan 23 at 18:47
add a comment |Â
You can do X11 forwarding directly over tcp without any ssh connection. Justexport DISPLAY=<yourip>:0
(you can use stunnel to encrypt the connection)
â Ipor Sircer
Jan 23 at 18:47
You can do X11 forwarding directly over tcp without any ssh connection. Just
export DISPLAY=<yourip>:0
(you can use stunnel to encrypt the connection)â Ipor Sircer
Jan 23 at 18:47
You can do X11 forwarding directly over tcp without any ssh connection. Just
export DISPLAY=<yourip>:0
(you can use stunnel to encrypt the connection)â Ipor Sircer
Jan 23 at 18:47
add a comment |Â
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f419154%2fhow-can-i-run-a-non-root-remote-server-with-x11-forwarding-post-openssh-7-5%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
You can do X11 forwarding directly over tcp without any ssh connection. Just
export DISPLAY=<yourip>:0
(you can use stunnel to encrypt the connection)â Ipor Sircer
Jan 23 at 18:47