That still needs a way to change users, and OpenSSH already has privilege separation. That hardens the process somewhat to reduce the amount of code running in the process which can change the uid for a session but fundamentally something needs permission to call setuid() or the equivalent.

▲

accrual 19 hours ago | parent [-]

Yes, but changing users is a function of the shell (or maybe more specifically /usr/bin/login), not the SSH daemon.

	▲	acdha 8 hours ago \| parent [-]
		Yea, but then we’ve recreated this CVE which is caused by calling login(1) unsafely. The point was that the person I was replying to misunderstood the problem and largely seemed to be conflating telnetd with OpenSSH.