Re: openssh: privilege separation no longer supported on Cygwin? SURPRISE!

public inbox for cygwin@cygwin.com
 help / color / mirror / Atom feed

From: "Larry Hall (Cygwin)" <reply-to-list-only-lh@cygwin.com>
To: cygwin@cygwin.com
Subject: Re: openssh: privilege separation no longer supported on Cygwin? SURPRISE!
Date: Wed, 31 May 2017 04:58:00 -0000	[thread overview]
Message-ID: <592E1C49.6020202@cygwin.com> (raw)
In-Reply-To: <262615c8cf6e134cedf97b0280c4a68f@smtp-cloud2.xs4all.net>

On 05/30/2017 09:50 AM, Houder wrote:
> On Mon, 29 May 2017 19:14:30, Houder wrote:
>
> [snip]
>> As if the "sshd" account is NEVER, NEVER used during the _whole_ process
>> (that is, there is NO privilege separation, as far as I can tell).
>
> .. wanted to share this experience with you.
>
>   - deleted user/account 'sshd' # net user sshd /delete
>   - modified the last part (rid?) of the sid belonging to user/account 'sshd'
>     in xxxx (in /etc/passwd)
>   - rebooted
>
> Before reboot, I changed 'sshd' in an automatic service (was: manual)
>
> After the system had rebooted:
>
>   - 'cygrunsrv -Q sshd' shows 'sshd' running ...
>   - 'tail -f /var/log/sshd.log' shows 'sshd' listening ...
>   - 'net user' shows user/account 'sshd' gone ...
>
> I can still use ssh ... (both password authentication and key authentication)
>
> Yes, if I remove user/account 'sshd' completely from /etc/passwd, only
> then 'sshd' won't start ...

Cygwin's link to the Windows user ID is through the UID/SID mapping.  In
your case, you're apparently using /etc/passwd and so that's where the
mapping happens.  You can map the UID of a Cygwin user to any valid Windows
SID by editing the SID as you did.  This doesn't change how things look in
the Cygwin environment (i.e. the UID and user name are still the same) but
it does make a difference to Windows.  So the fact that you can change the
SID for the 'sshd' user and still get it to run is not all that surprising,
assuming that the new Windows SID that you're using as 'sshd' now has at
least similar permissions.  Of course, if you remove Cygwin's understanding
of 'sshd' so that it can't do the mapping of UID to SID or even have a
valid UID, then subsequent problems are not unexpected.

-- 
Larry

_____________________________________________________________________

A: Yes.
 > Q: Are you sure?
 >> A: Because it reverses the logical flow of conversation.
 >>> Q: Why is top posting annoying in email?

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

next prev parent reply	other threads:[~2017-05-31  1:28 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-05-29  6:40 openssh: privilege separation no longer supported on Cygwin? Houder
2017-05-29  9:22 ` Marco Atzeri
2017-05-29 11:39   ` Houder
2017-05-29 11:44     ` openssh: privilege separation no longer supported on Cygwin? -- example only Houder
2017-05-29 14:29     ` openssh: privilege separation no longer supported on Cygwin? Houder
2017-05-29 17:45     ` openssh: privilege separation no longer supported on Cygwin? SURPRISE! Houder
2017-05-29 20:30       ` Andrey Repin
2017-05-30  3:49         ` Houder
2017-05-30 16:16       ` Houder
2017-05-31  4:58         ` Larry Hall (Cygwin) [this message]
2017-05-31 10:51           ` Houder
2017-05-31 14:46             ` cyg Simple
2017-05-31 14:57               ` Houder
2017-05-31 14:59                 ` openssh: privilege separation no longer supported on Cygwin? SURPRISE! -- minor correction Houder
2017-05-31 16:34                 ` openssh: privilege separation no longer supported on Cygwin? SURPRISE! cyg Simple
2017-05-31 19:52                   ` Houder
2017-05-31 20:16                     ` cyg Simple
2017-06-01  2:27             ` Larry Hall (Cygwin)
2017-05-31 20:20     ` openssh: privilege separation no longer supported on Cygwin? Marco Atzeri

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=592E1C49.6020202@cygwin.com \
    --to=reply-to-list-only-lh@cygwin.com \
    --cc=cygwin@cygwin.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).