From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 79223 invoked by alias); 14 Feb 2016 01:29:30 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 79208 invoked by uid 89); 14 Feb 2016 01:29:29 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=4.3 required=5.0 tests=AWL,BAYES_40,CYGWIN_OWNER_BODY,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,RP_MATCHES_RCVD,SPF_PASS autolearn=no version=3.3.2 spammy=H*i:sk:w@mail., H*i:sk:ko0TZS1, H*f:AWr_1o, H*i:CACoZoo14 X-HELO: resqmta-po-01v.sys.comcast.net Received: from resqmta-po-01v.sys.comcast.net (HELO resqmta-po-01v.sys.comcast.net) (96.114.154.160) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with (AES128-SHA encrypted) ESMTPS; Sun, 14 Feb 2016 01:29:27 +0000 Received: from resomta-po-08v.sys.comcast.net ([96.114.154.232]) by resqmta-po-01v.sys.comcast.net with comcast id J1VC1s001516pyw011VR9x; Sun, 14 Feb 2016 01:29:25 +0000 Received: from HOME1 ([24.18.54.164]) by resomta-po-08v.sys.comcast.net with comcast id J1VR1s0073YafjL011VRoE; Sun, 14 Feb 2016 01:29:25 +0000 Reply-To: From: "David Willis" To: References: <019c01d163bc$fe2fc500$fa8f4f00$@comcast.net> <019e01d163c2$d678c7e0$836a57a0$@comcast.net> <023901d165e4$925507d0$b6ff1770$@comcast.net> <87d1s1c8ld.fsf@Rainer.invalid> <024901d166a3$a6930390$f3b90ab0$@comcast.net> In-Reply-To: Subject: RE: Possible Security Hole in SSHD w/ CYGWIN? Date: Sun, 14 Feb 2016 01:29:00 -0000 Message-ID: <025601d166c7$23eaa3c0$6bbfeb40$@comcast.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-IsSubscribed: yes X-SW-Source: 2016-02/txt/msg00206.txt.bz2 Hmm, storing the password in the registry would probably not be optimal... I would probably rather deal with lack of network share access from SSH sessions than store a plaintext password (haven't tested it so I can't say for sure, but since I see no mention of encrypting or hashing the password I'm guessing it is stored in plaintext)... For authenticated access within a session, I would think it would be better if the user was prompted to enter their password when attempting to access a share, similar to what happens when attempting to access a share via Windows Explorer (if you don't already have access with your currently logged on credentials). I think based on everything I've found out this would be the best solution to this scenario for SSH users that log in using key authentication. And to your second point, that is also what I would expect, is that if anything there would be NO network access, rather than access based on the account that the sshd process is running as, regardless of its access. However what I gathered from Achim's message is that the access level of cyg_server is precisely the reason the user would have network share access with that account's privileges. Thanks, David -----Original Message----- From: cygwin-owner@cygwin.com [mailto:cygwin-owner@cygwin.com] On Behalf Of Erik Soderquist Sent: Saturday, February 13, 2016 4:34 PM To: cygwin@cygwin.com Subject: Re: Possible Security Hole in SSHD w/ CYGWIN? On Sat, Feb 13, 2016 at 4:15 PM, David Willis wrote: > So you're telling me any user that logs in using key authentication > cannot access the network as the same user (i.e. this is the intended > behavior)? If that's the case wouldn't it be better not to allow > network access at ALL, rather than allowing it as the service account that sshd is running as? Responding to only this one piece at present from https://cygwin.com/cygwin-ug-net/passwd.html {{ -R, --reg-store-pwd enter password to store it in the registry for later usage by services to be able to switch to this user context with network credentials. }} {{ Don't use this feature if you don't need network access within a remote session. You can delete your stored password by using `passwd -R' and specifying an empty password. }} Since there are explicit instructions on how to store your Windows password in a way that Cygwin sshd (and other Cygwin services) can use the password for network authentication and that it says not to store the credentials if you do not need network access when authenticating via public key, I would make the logical assumptions that #1: authenticated network access is supposed to be possible inside a public key authenticated ssh session #2: without storing the password as described, I should have no network access at all, not the cyg_server account's network access (regardless of how much or little access the cyg_server account has). -- Erik -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple