How can I run a non-root remote server with X11 forwarding, post OpenSSH 7.5?
Clash Royale CLAN TAG#URR8PPP
up vote
1
down vote
favorite
I have non-root access to a remote terminal which is provided by the terminal owner via various non-SSH means, such as AnyTerm and OCRSH. Nevertheless I like to run sshd on that box because I want to run X-based applications using X11 forwarding, and AnyTerm/OCRSH don't support X11 forwarding.
This was all fine in OpenSSH <7.5, and I could run sshd as non-root with UsePrivilegeSeparation turned off - see this answer. However, as of OpenSSH 7.5, it seems UsePrivilegeSeparation is no longer available as an option - as someone noted in another answer to the same question.
This means I am essentially stuck without being able to run sshd if I use a version higher than OpenSSH 7.4 (December 2016). The reason of course is that privilege separation requires switching users at the time of login, and sshd won't be able to switch to another user as it's not running as root.
Now I am stuck with a few options and some confusion:
- I could just continue to use OpenSSH 7.4 - seems the security issues fixed in 7.5 and 7.6 are for specific use cases which I don't fall into. But eventually I think it will become necessary to upgrade for one reason or another.
OpenSSH 7.5 release notes say thatUsePrivilegeSeparationis "deprecated". What does that actually mean? Usually, "deprecated" means that it is an option still available, but you will get a deprecation warning if you use it. But the way the docs are worded it makes it seem like the option was removed completely, and all mention of it has also been removed from thesshd_configmanpage. Or does this "deprecation" mean you can still enable it via some compile-time option when building OpenSSH from source?- Is there a way to run
sshdin some kind offakerootenvironment where it thinks that it is root, but any attempt tosetuidwill just silently fail and will stay as the same user? - Is there some other alternative to SSH I could use here, which would still support X11 forwarding, and is still security-patched past December 2016?
ssh openssh
asked Jan 23 at 18:19
Kidburla
5551212
add a comment |Â
up vote
1
down vote
favorite
I have non-root access to a remote terminal which is provided by the terminal owner via various non-SSH means, such as AnyTerm and OCRSH. Nevertheless I like to run sshd on that box because I want to run X-based applications using X11 forwarding, and AnyTerm/OCRSH don't support X11 forwarding.
This was all fine in OpenSSH <7.5, and I could run sshd as non-root with UsePrivilegeSeparation turned off - see this answer. However, as of OpenSSH 7.5, it seems UsePrivilegeSeparation is no longer available as an option - as someone noted in another answer to the same question.
This means I am essentially stuck without being able to run sshd if I use a version higher than OpenSSH 7.4 (December 2016). The reason of course is that privilege separation requires switching users at the time of login, and sshd won't be able to switch to another user as it's not running as root.
Now I am stuck with a few options and some confusion:
- I could just continue to use OpenSSH 7.4 - seems the security issues fixed in 7.5 and 7.6 are for specific use cases which I don't fall into. But eventually I think it will become necessary to upgrade for one reason or another.
OpenSSH 7.5 release notes say thatUsePrivilegeSeparationis "deprecated". What does that actually mean? Usually, "deprecated" means that it is an option still available, but you will get a deprecation warning if you use it. But the way the docs are worded it makes it seem like the option was removed completely, and all mention of it has also been removed from thesshd_configmanpage. Or does this "deprecation" mean you can still enable it via some compile-time option when building OpenSSH from source?- Is there a way to run
sshdin some kind offakerootenvironment where it thinks that it is root, but any attempt tosetuidwill just silently fail and will stay as the same user? - Is there some other alternative to SSH I could use here, which would still support X11 forwarding, and is still security-patched past December 2016?
ssh openssh
asked Jan 23 at 18:19
Kidburla
5551212
You can do X11 forwarding directly over tcp without any ssh connection. Justexport DISPLAY=<yourip>:0(you can use stunnel to encrypt the connection)
– Ipor Sircer
Jan 23 at 18:47
add a comment |Â
up vote
1
down vote
favorite
up vote
1
down vote
favorite
I have non-root access to a remote terminal which is provided by the terminal owner via various non-SSH means, such as AnyTerm and OCRSH. Nevertheless I like to run sshd on that box because I want to run X-based applications using X11 forwarding, and AnyTerm/OCRSH don't support X11 forwarding.
This was all fine in OpenSSH <7.5, and I could run sshd as non-root with UsePrivilegeSeparation turned off - see this answer. However, as of OpenSSH 7.5, it seems UsePrivilegeSeparation is no longer available as an option - as someone noted in another answer to the same question.
This means I am essentially stuck without being able to run sshd if I use a version higher than OpenSSH 7.4 (December 2016). The reason of course is that privilege separation requires switching users at the time of login, and sshd won't be able to switch to another user as it's not running as root.
Now I am stuck with a few options and some confusion:
- I could just continue to use OpenSSH 7.4 - seems the security issues fixed in 7.5 and 7.6 are for specific use cases which I don't fall into. But eventually I think it will become necessary to upgrade for one reason or another.
OpenSSH 7.5 release notes say thatUsePrivilegeSeparationis "deprecated". What does that actually mean? Usually, "deprecated" means that it is an option still available, but you will get a deprecation warning if you use it. But the way the docs are worded it makes it seem like the option was removed completely, and all mention of it has also been removed from thesshd_configmanpage. Or does this "deprecation" mean you can still enable it via some compile-time option when building OpenSSH from source?- Is there a way to run
sshdin some kind offakerootenvironment where it thinks that it is root, but any attempt tosetuidwill just silently fail and will stay as the same user? - Is there some other alternative to SSH I could use here, which would still support X11 forwarding, and is still security-patched past December 2016?
ssh openssh
asked Jan 23 at 18:19
Kidburla
5551212
I have non-root access to a remote terminal which is provided by the terminal owner via various non-SSH means, such as AnyTerm and OCRSH. Nevertheless I like to run sshd on that box because I want to run X-based applications using X11 forwarding, and AnyTerm/OCRSH don't support X11 forwarding.
This was all fine in OpenSSH <7.5, and I could run sshd as non-root with UsePrivilegeSeparation turned off - see this answer. However, as of OpenSSH 7.5, it seems UsePrivilegeSeparation is no longer available as an option - as someone noted in another answer to the same question.
This means I am essentially stuck without being able to run sshd if I use a version higher than OpenSSH 7.4 (December 2016). The reason of course is that privilege separation requires switching users at the time of login, and sshd won't be able to switch to another user as it's not running as root.
Now I am stuck with a few options and some confusion:
- I could just continue to use OpenSSH 7.4 - seems the security issues fixed in 7.5 and 7.6 are for specific use cases which I don't fall into. But eventually I think it will become necessary to upgrade for one reason or another.
OpenSSH 7.5 release notes say thatUsePrivilegeSeparationis "deprecated". What does that actually mean? Usually, "deprecated" means that it is an option still available, but you will get a deprecation warning if you use it. But the way the docs are worded it makes it seem like the option was removed completely, and all mention of it has also been removed from thesshd_configmanpage. Or does this "deprecation" mean you can still enable it via some compile-time option when building OpenSSH from source?- Is there a way to run
sshdin some kind offakerootenvironment where it thinks that it is root, but any attempt tosetuidwill just silently fail and will stay as the same user? - Is there some other alternative to SSH I could use here, which would still support X11 forwarding, and is still security-patched past December 2016?
ssh openssh
asked Jan 23 at 18:19
Kidburla
5551212
asked Jan 23 at 18:19
Kidburla
5551212
asked Jan 23 at 18:19
Kidburla
5551212
asked Jan 23 at 18:19
Kidburla
5551212
5551212
You can do X11 forwarding directly over tcp without any ssh connection. Justexport DISPLAY=<yourip>:0(you can use stunnel to encrypt the connection)
– Ipor Sircer
Jan 23 at 18:47
add a comment |Â
You can do X11 forwarding directly over tcp without any ssh connection. Justexport DISPLAY=<yourip>:0(you can use stunnel to encrypt the connection)
– Ipor Sircer
Jan 23 at 18:47
You can do X11 forwarding directly over tcp without any ssh connection. Just
export DISPLAY=<yourip>:0 (you can use stunnel to encrypt the connection)– Ipor Sircer
Jan 23 at 18:47
You can do X11 forwarding directly over tcp without any ssh connection. Just
export DISPLAY=<yourip>:0 (you can use stunnel to encrypt the connection)– Ipor Sircer
Jan 23 at 18:47
add a comment |Â
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f419154%2fhow-can-i-run-a-non-root-remote-server-with-x11-forwarding-post-openssh-7-5%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
You can do X11 forwarding directly over tcp without any ssh connection. Just
export DISPLAY=<yourip>:0(you can use stunnel to encrypt the connection)– Ipor Sircer
Jan 23 at 18:47