0

Is there a security benefit running a command remotely via ssh as a local non-root user? In other words, is this actually more dangerous compared to executing the ssh command as non-root:

root@local:~# ssh user@remote "compromised_executable"

I'm assuming the local system isn't compromised and ssh doesn't have any security issues.

morrow
  • 11

2 Answers2

1

No, SSH does not add any benefit. It only ensures that the connection to the remote machine is encrypted, nothing more.

The non-root account should of course not have any sudo-permissions whether it is local or remote doesn't matter.

If you want added security, then execute the binary in a chroot environment or a container, or a VM you can throw away afterwards.

Gerald Schneider
  • 23,274
  • 8
  • 57
  • 89
  • Thanks for responding, I guess my question wasn't sufficiently clear: I'm not asking whether SSH adds a benefit but whether there is a security benefit from running SSH as a local non-root user instead of root (e.g. with sudo). – morrow Aug 17 '21 at 18:54
  • 1
    @morrow Nothing beyond the normal well known benefits of running _anything_ as non-root that does not _need_ to be run as root. – Michael Hampton Aug 17 '21 at 23:19
0

SSH is intended to provide confidentiality and integrity of data over an unsecured network.

So if I understand your question correctly, remotely executing ssh commands as non root user should be as safe as logging in via ssh and manually executing the command.

Increase security by adding your machines ssh key to the remote servers authorized_keys file. How to ssh-copy-id

Update

Executing any command that does not need sudo is an unnecessary risk. including ssh.

When and if possible of course, avoid using root to execute programs since it increases risk of compromising your local system.

Andrija Jostergård
  • 111
  • 3
  • Thanks for responding. My question is more targeting potential security differences between executing ssh as root compared to non-root. If I understand you correctly, `sudo ssh` would only be problematic if the command itself has security issues? – morrow Aug 17 '21 at 07:56
  • Ah honestly I've never thought about that. There has never been a need to execute ssh with sudo for me. I don't see any reason why you'd execute ssh with sudo privileges anyways. But yes, lets say ssh is compromise and you use sudo to execute it, then whatever has been baked into ssh will have full access to your local machine. Very unnecessary risk to take I suppose. – Andrija Jostergård Aug 18 '21 at 08:17