From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 86982 invoked by alias); 19 Feb 2016 11:10:12 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 86966 invoked by uid 89); 19 Feb 2016 11:10:12 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-94.7 required=5.0 tests=BAYES_40,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_PBL,RDNS_DYNAMIC,USER_IN_WHITELIST autolearn=no version=3.3.2 spammy=soderquist, Soderquist, H*i:sk:CACoZoo, H*f:sk:5BEErEQ X-HELO: calimero.vinschen.de Received: from ipbcc0d020.dynamic.kabel-deutschland.de (HELO calimero.vinschen.de) (188.192.208.32) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Fri, 19 Feb 2016 11:10:08 +0000 Received: by calimero.vinschen.de (Postfix, from userid 500) id 9F999A8031C; Fri, 19 Feb 2016 12:10:06 +0100 (CET) Date: Fri, 19 Feb 2016 11:10:00 -0000 From: Corinna Vinschen To: cygwin@cygwin.com Subject: Re: Possible Security Hole in SSHD w/ CYGWIN? Message-ID: <20160219111006.GB18354@calimero.vinschen.de> Reply-To: cygwin@cygwin.com Mail-Followup-To: cygwin@cygwin.com References: <023901d165e4$925507d0$b6ff1770$@comcast.net> <87d1s1c8ld.fsf@Rainer.invalid> <87a8n38t3r.fsf@Rainer.invalid> <20160215121101.GC7085@calimero.vinschen.de> <003801d1693f$6a5d71a0$3f1854e0$@comcast.net> <20160217094335.GA5722@calimero.vinschen.de> <20160218151257.GA14838@calimero.vinschen.de> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="ftEhullJWpWg/VHq" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) X-SW-Source: 2016-02/txt/msg00298.txt.bz2 --ftEhullJWpWg/VHq Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-length: 966 On Feb 18 12:10, Erik Soderquist wrote: > On Thu, Feb 18, 2016 at 10:12 AM, Corinna Vinschen wrote: > > > > I implemented and tested the idea and it seems to work. Note that the > > underlying problem that we can't generate our own login session when us= ing > > method 1 persists. However, the new code should avoid spilling cyg_ser= ver > > credentials into the user session. > > > > Please give the new Cygwin test release 2.5.0-0.4 > > (https://cygwin.com/ml/cygwin-announce/2016-02/msg00023.html) a try. >=20 > I've installed the test release and am no longer able to reproduce the > issue; I get the expected "access denied" on all network shares as I > should on this test account. (pub key auth, no password stored with > "passwd -R") >=20 > :) Thanks for testing, I really appreciate that. Corinna --=20 Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat --ftEhullJWpWg/VHq Content-Type: application/pgp-signature; name="signature.asc" Content-length: 819 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJWxvgOAAoJEPU2Bp2uRE+gy60P/RDlCCNreMUb9Ll/VFgMmQSn FJmIp+lryEQvEfZebG6ud5b69WJwdtv3+riZ2IoA46Zgs1AHa1pWaxCtTnmmrIGY Oscbk9HC6zYD03MmbCMHZ2N7KE9bkxWa1wAb4M/Kg46cwwLkpM0230td8l6Xtmwm O1lv6wlVc/Tk29+x90vWbvhLe44xGzyJcOr3lO5jNLc4Uxk3EPUUxz1Q8zjDBOIB 66lnGSpvqunl2/rvIIND9IDioWVZc65uy2ckvoevuheD3oqm+CcJThpJ6rIznYNS GaXD1XHz3EoHD59+t+YsFNLVJdzTyCI4Vri2RFQ+0DypzZ/LYjga0JVRRFogoyWg ycxNkRri1XJIaz8efscDyT7Q4zUjFL1ZMBcf4AqculU9ayMGPm59rEoRvh4DpsAm XXVs33uWp3ES8qapAtPykCRFgSsS+R325FQ07GLo/tYnOtbH4jNZ7FtFsrHTg2Wi HDmnkqx74fWX7GXlIyPYMAnWs9vo/8HVwiv6hlGYRQ3xf4eOsaKUqNw63nf576oN xm437w/HBS8YndQtb4VfIujDTFRc5hNMMXaflFYAuYGFOieaevKy8FnZ9ihe897f I6avTOYPybJust/5sPWjZsJISz7dcAG79Z8BwKzqFLx4JSDFEzf32TRHDz6rUz3z P932n2tDHZloreV0wPk5 =BSp+ -----END PGP SIGNATURE----- --ftEhullJWpWg/VHq--