This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: openssh: privilege separation no longer supported on Cygwin? SURPRISE!


On 05/30/2017 09:50 AM, Houder wrote:
On Mon, 29 May 2017 19:14:30, Houder wrote:

[snip]
As if the "sshd" account is NEVER, NEVER used during the _whole_ process
(that is, there is NO privilege separation, as far as I can tell).

.. wanted to share this experience with you.

  - deleted user/account 'sshd' # net user sshd /delete
  - modified the last part (rid?) of the sid belonging to user/account 'sshd'
    in xxxx (in /etc/passwd)
  - rebooted

Before reboot, I changed 'sshd' in an automatic service (was: manual)

After the system had rebooted:

  - 'cygrunsrv -Q sshd' shows 'sshd' running ...
  - 'tail -f /var/log/sshd.log' shows 'sshd' listening ...
  - 'net user' shows user/account 'sshd' gone ...

I can still use ssh ... (both password authentication and key authentication)

Yes, if I remove user/account 'sshd' completely from /etc/passwd, only
then 'sshd' won't start ...

Cygwin's link to the Windows user ID is through the UID/SID mapping.  In
your case, you're apparently using /etc/passwd and so that's where the
mapping happens.  You can map the UID of a Cygwin user to any valid Windows
SID by editing the SID as you did.  This doesn't change how things look in
the Cygwin environment (i.e. the UID and user name are still the same) but
it does make a difference to Windows.  So the fact that you can change the
SID for the 'sshd' user and still get it to run is not all that surprising,
assuming that the new Windows SID that you're using as 'sshd' now has at
least similar permissions.  Of course, if you remove Cygwin's understanding
of 'sshd' so that it can't do the mapping of UID to SID or even have a
valid UID, then subsequent problems are not unexpected.


--
Larry

_____________________________________________________________________

A: Yes.
> Q: Are you sure?
>> A: Because it reverses the logical flow of conversation.
>>> Q: Why is top posting annoying in email?

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]