alt Hacker NewsThat still needs a way to change users, and OpenSSH already has privilege separation. That hardens the process somewhat to reduce the amount of code running in the process which can change the uid for a session but fundamentally something needs permission to call setuid() or the equivalent.
Yes, but changing users is a function of the shell (or maybe more specifically /usr/bin/login), not the SSH daemon.