This is the mail archive of the cygwin@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [ANNOUNCEMENT] Updated: OpenSSH-3.5p1-1


The behavior I see now is that if I do

chown administrators.none /etc/ssh_host_rsa_key*
chmod 777 /etc/ssh_host_rsa_key*

Then with StrictModes enabled, sshd will start and run just fine (running as system). But if I then do

chown system.none /etc/ssh_host_rsa_key*

Then sshd fails to start. But I (think I) recall that in the past the protection had to be tight and the owner had to be system for sshd to start? Am I remembering correctly?

Thanks,

...Karl



From: Corinna Vinschen <corinna-cygwin@cygwin.com>
Reply-To: cygwin@cygwin.com
To: cygwin@cygwin.com
Subject: Re: [ANNOUNCEMENT] Updated: OpenSSH-3.5p1-1
Date: Thu, 7 Nov 2002 17:11:57 +0100

On Thu, Nov 07, 2002 at 06:59:08AM -0800, Karl M wrote:
> Hi All...
>
> I just updated to 3.5p1-1. I had to set PermitUserEnvironment in my
> sshd_config file. Should this be included by default in the ssh-host-config
> script?

You're right that PermitUserEnvironment should be added to ssh-host-config.
But it's set to no by default, so you have to change it anyway.

> I was a bit puzzled by the file owner and permission checking for the host
> keys now (with StrictModes enabled)...If the owner is wrong, the mode
> checking is ignored. I recall this test being stronger in the past...didn't
> the owner have to be correct (SYSTEM)? If so, why the change to a kinder
> gentler (less effective) safety check?

auth.c, line 378ff:

if (options.strict_modes &&
(stat(user_hostfile, &st) == 0) &&
((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
(st.st_mode & 022) != 0)) {
log("Authentication refused for %.100s: "
"bad owner or modes for %.200s",
pw->pw_name, user_hostfile);

The above code checks the mode additionally to the user id so what's
gentler here? Or do you mean another piece of code?

> Given the host local security issues with using Cygwim, is there much
> advantage to priv sep? Could someone please give a brief overview of what it
> is and how and why it helps?

README.privsep?

Corinna

--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Developer mailto:cygwin@cygwin.com
Red Hat, Inc.

--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Bug reporting: http://cygwin.com/bugs.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/

_________________________________________________________________
Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963


--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Bug reporting: http://cygwin.com/bugs.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]