How to Run SSH Daemon as Non-Root User on Custom Port (2222) with Full Debugging


2 views

Running sshd as a non-root user presents unique technical constraints due to OpenSSH's security design. The primary limitations stem from:

  • Inability to modify process privileges (setuid restriction)
  • Permission requirements for bind() operations on privileged ports
  • Mandatory group membership controls for PAM authentication

Here's a functional minimal configuration that bypasses root requirements:

# ~/sshd_config
Port 2222
HostKey /home/user/.ssh/sshd_host_rsa_key
PidFile /tmp/sshd.pid
UsePrivilegeSeparation no
StrictModes no
PermitRootLogin no
AuthenticationMethods publickey
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

First generate dedicated host keys:

ssh-keygen -t rsa -b 4096 -f ~/.ssh/sshd_host_rsa_key

Then launch in debug mode:

/usr/sbin/sshd -D -f ~/sshd_config -h ~/.ssh/sshd_host_rsa_key \
  -p 2222 \
  -o "PermitUserEnvironment=yes" \
  -o "AllowUsers=$(whoami)" \
  -o "KexAlgorithms=diffie-hellman-group-exchange-sha256"

From another terminal:

ssh -p 2222 -v localhost \
  -o "UserKnownHostsFile=/dev/null" \
  -o "StrictHostKeyChecking=no"

When encountering setgroups() failed, these workarounds apply:

  1. Disable privilege separation with UsePrivilegeSeparation no
  2. Bypass PAM with UsePAM no
  3. Explicitly allow the current user via AllowUsers

For development environments needing SFTP:

Subsystem sftp internal-sftp
ForceCommand internal-sftp
ChrootDirectory %h
PermitTunnel no
X11Forwarding no

Running sshd as a non-root user is often necessary for development environments, sandboxed testing, or multi-user systems where you need isolated SSH instances. The primary challenge is that OpenSSH's sshd typically requires root privileges for operations like binding to privileged ports (<1024) and user authentication.

When running as a normal user:

  • Port restriction: Must use ports ≥1024 (e.g., 2222)
  • User scope: Can only authenticate the running user (no setuid capability)
  • Permission issues: setgroups() and other system calls may fail

Here's a minimal sshd_config that works for non-root users:


# ~/sshd_config
Port 2222
ListenAddress 0.0.0.0
HostKey ~/.ssh/id_rsa
AuthorizedKeysFile .ssh/authorized_keys
UsePAM no
PermitRootLogin no
AllowUsers your_username

Use this command to launch your custom instance:


/usr/sbin/sshd -D -f ~/sshd_config -h ~/.ssh/id_rsa

The -D flag keeps it in the foreground, useful for debugging.

1. Key Exchange Failures

Add explicit KEX algorithms to your config:


KexAlgorithms diffie-hellman-group-exchange-sha256
Ciphers aes256-ctr
MACs hmac-sha2-256

2. Permission Problems

Ensure proper permissions:


chmod 600 ~/.ssh/id_rsa
chmod 700 ~/.ssh
chmod 644 ~/.ssh/authorized_keys

For lightweight cases, consider Dropbear SSH which handles non-root operation better:


dropbear -p 2222 -F -E -m -s -d ~/.ssh/id_dropbear
  • Never expose test instances to the internet
  • Use strong key-based authentication
  • Monitor connection attempts
  • Consider firewall rules to restrict access