When /dev is read-only, sshd will refuse to log you in with an
interactive shell (you can still run remote commands "ssh
somewhere.over-the-rainbow.com ls").

The problem is that it cannot chown the pty device to the ssh user, and
this is a fatal error. I patched sshd so that this error is not fatal
anymore, and it works fine.

What are the security implications of running on a pty that is onwned by
someone else? Would it be okay to allow using a pty that is not owned by
the ssh user but by root instead? (that way if you want a read-only
/dev, you just chown root tty* before going read-only)

And login is able to log an user on a system with /dev read-only. Why
doesn't it has the same problem than sshd? Did we forget handling this
in login, or do we have to too strict checking in sshd?

-- 
Emmanuel Dreyfus.
Si la reponse est NT, c'est probablement 
que vous n'avez pas compris la question.
manu@netbsd.org