How can I run a non-root remote server with X11 forwarding, post OpenSSH 7.5?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
1
down vote

favorite
2












I have non-root access to a remote terminal which is provided by the terminal owner via various non-SSH means, such as AnyTerm and OCRSH. Nevertheless I like to run sshd on that box because I want to run X-based applications using X11 forwarding, and AnyTerm/OCRSH don't support X11 forwarding.



This was all fine in OpenSSH <7.5, and I could run sshd as non-root with UsePrivilegeSeparation turned off - see this answer. However, as of OpenSSH 7.5, it seems UsePrivilegeSeparation is no longer available as an option - as someone noted in another answer to the same question.



This means I am essentially stuck without being able to run sshd if I use a version higher than OpenSSH 7.4 (December 2016). The reason of course is that privilege separation requires switching users at the time of login, and sshd won't be able to switch to another user as it's not running as root.



Now I am stuck with a few options and some confusion:



  • I could just continue to use OpenSSH 7.4 - seems the security issues fixed in 7.5 and 7.6 are for specific use cases which I don't fall into. But eventually I think it will become necessary to upgrade for one reason or another.


  • OpenSSH 7.5 release notes say that UsePrivilegeSeparation is "deprecated". What does that actually mean? Usually, "deprecated" means that it is an option still available, but you will get a deprecation warning if you use it. But the way the docs are worded it makes it seem like the option was removed completely, and all mention of it has also been removed from the sshd_config manpage. Or does this "deprecation" mean you can still enable it via some compile-time option when building OpenSSH from source?

  • Is there a way to run sshd in some kind of fakeroot environment where it thinks that it is root, but any attempt to setuid will just silently fail and will stay as the same user?

  • Is there some other alternative to SSH I could use here, which would still support X11 forwarding, and is still security-patched past December 2016?






share|improve this question




















  • You can do X11 forwarding directly over tcp without any ssh connection. Just export DISPLAY=<yourip>:0 (you can use stunnel to encrypt the connection)
    – Ipor Sircer
    Jan 23 at 18:47















up vote
1
down vote

favorite
2












I have non-root access to a remote terminal which is provided by the terminal owner via various non-SSH means, such as AnyTerm and OCRSH. Nevertheless I like to run sshd on that box because I want to run X-based applications using X11 forwarding, and AnyTerm/OCRSH don't support X11 forwarding.



This was all fine in OpenSSH <7.5, and I could run sshd as non-root with UsePrivilegeSeparation turned off - see this answer. However, as of OpenSSH 7.5, it seems UsePrivilegeSeparation is no longer available as an option - as someone noted in another answer to the same question.



This means I am essentially stuck without being able to run sshd if I use a version higher than OpenSSH 7.4 (December 2016). The reason of course is that privilege separation requires switching users at the time of login, and sshd won't be able to switch to another user as it's not running as root.



Now I am stuck with a few options and some confusion:



  • I could just continue to use OpenSSH 7.4 - seems the security issues fixed in 7.5 and 7.6 are for specific use cases which I don't fall into. But eventually I think it will become necessary to upgrade for one reason or another.


  • OpenSSH 7.5 release notes say that UsePrivilegeSeparation is "deprecated". What does that actually mean? Usually, "deprecated" means that it is an option still available, but you will get a deprecation warning if you use it. But the way the docs are worded it makes it seem like the option was removed completely, and all mention of it has also been removed from the sshd_config manpage. Or does this "deprecation" mean you can still enable it via some compile-time option when building OpenSSH from source?

  • Is there a way to run sshd in some kind of fakeroot environment where it thinks that it is root, but any attempt to setuid will just silently fail and will stay as the same user?

  • Is there some other alternative to SSH I could use here, which would still support X11 forwarding, and is still security-patched past December 2016?






share|improve this question




















  • You can do X11 forwarding directly over tcp without any ssh connection. Just export DISPLAY=<yourip>:0 (you can use stunnel to encrypt the connection)
    – Ipor Sircer
    Jan 23 at 18:47













up vote
1
down vote

favorite
2









up vote
1
down vote

favorite
2






2





I have non-root access to a remote terminal which is provided by the terminal owner via various non-SSH means, such as AnyTerm and OCRSH. Nevertheless I like to run sshd on that box because I want to run X-based applications using X11 forwarding, and AnyTerm/OCRSH don't support X11 forwarding.



This was all fine in OpenSSH <7.5, and I could run sshd as non-root with UsePrivilegeSeparation turned off - see this answer. However, as of OpenSSH 7.5, it seems UsePrivilegeSeparation is no longer available as an option - as someone noted in another answer to the same question.



This means I am essentially stuck without being able to run sshd if I use a version higher than OpenSSH 7.4 (December 2016). The reason of course is that privilege separation requires switching users at the time of login, and sshd won't be able to switch to another user as it's not running as root.



Now I am stuck with a few options and some confusion:



  • I could just continue to use OpenSSH 7.4 - seems the security issues fixed in 7.5 and 7.6 are for specific use cases which I don't fall into. But eventually I think it will become necessary to upgrade for one reason or another.


  • OpenSSH 7.5 release notes say that UsePrivilegeSeparation is "deprecated". What does that actually mean? Usually, "deprecated" means that it is an option still available, but you will get a deprecation warning if you use it. But the way the docs are worded it makes it seem like the option was removed completely, and all mention of it has also been removed from the sshd_config manpage. Or does this "deprecation" mean you can still enable it via some compile-time option when building OpenSSH from source?

  • Is there a way to run sshd in some kind of fakeroot environment where it thinks that it is root, but any attempt to setuid will just silently fail and will stay as the same user?

  • Is there some other alternative to SSH I could use here, which would still support X11 forwarding, and is still security-patched past December 2016?






share|improve this question












I have non-root access to a remote terminal which is provided by the terminal owner via various non-SSH means, such as AnyTerm and OCRSH. Nevertheless I like to run sshd on that box because I want to run X-based applications using X11 forwarding, and AnyTerm/OCRSH don't support X11 forwarding.



This was all fine in OpenSSH <7.5, and I could run sshd as non-root with UsePrivilegeSeparation turned off - see this answer. However, as of OpenSSH 7.5, it seems UsePrivilegeSeparation is no longer available as an option - as someone noted in another answer to the same question.



This means I am essentially stuck without being able to run sshd if I use a version higher than OpenSSH 7.4 (December 2016). The reason of course is that privilege separation requires switching users at the time of login, and sshd won't be able to switch to another user as it's not running as root.



Now I am stuck with a few options and some confusion:



  • I could just continue to use OpenSSH 7.4 - seems the security issues fixed in 7.5 and 7.6 are for specific use cases which I don't fall into. But eventually I think it will become necessary to upgrade for one reason or another.


  • OpenSSH 7.5 release notes say that UsePrivilegeSeparation is "deprecated". What does that actually mean? Usually, "deprecated" means that it is an option still available, but you will get a deprecation warning if you use it. But the way the docs are worded it makes it seem like the option was removed completely, and all mention of it has also been removed from the sshd_config manpage. Or does this "deprecation" mean you can still enable it via some compile-time option when building OpenSSH from source?

  • Is there a way to run sshd in some kind of fakeroot environment where it thinks that it is root, but any attempt to setuid will just silently fail and will stay as the same user?

  • Is there some other alternative to SSH I could use here, which would still support X11 forwarding, and is still security-patched past December 2016?








share|improve this question











share|improve this question




share|improve this question










asked Jan 23 at 18:19









Kidburla

5551212




5551212











  • You can do X11 forwarding directly over tcp without any ssh connection. Just export DISPLAY=<yourip>:0 (you can use stunnel to encrypt the connection)
    – Ipor Sircer
    Jan 23 at 18:47

















  • You can do X11 forwarding directly over tcp without any ssh connection. Just export DISPLAY=<yourip>:0 (you can use stunnel to encrypt the connection)
    – Ipor Sircer
    Jan 23 at 18:47
















You can do X11 forwarding directly over tcp without any ssh connection. Just export DISPLAY=<yourip>:0 (you can use stunnel to encrypt the connection)
– Ipor Sircer
Jan 23 at 18:47





You can do X11 forwarding directly over tcp without any ssh connection. Just export DISPLAY=<yourip>:0 (you can use stunnel to encrypt the connection)
– Ipor Sircer
Jan 23 at 18:47
















active

oldest

votes











Your Answer







StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);








 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f419154%2fhow-can-i-run-a-non-root-remote-server-with-x11-forwarding-post-openssh-7-5%23new-answer', 'question_page');

);

Post as a guest



































active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes










 

draft saved


draft discarded


























 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f419154%2fhow-can-i-run-a-non-root-remote-server-with-x11-forwarding-post-openssh-7-5%23new-answer', 'question_page');

);

Post as a guest













































































Popular posts from this blog

How to check contact read email or not when send email to Individual?

Displaying single band from multi-band raster using QGIS

How many registers does an x86_64 CPU actually have?