From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 23928 invoked by alias); 14 Feb 2016 10:49:20 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 23724 invoked by uid 89); 14 Feb 2016 10:49:18 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-2.1 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=ham version=3.3.2 spammy=boil, H*i:sk:CACoZoo, H*f:sk:Br5xYFv, H*f:Wh9a8CDvyUHpqj5 X-HELO: mail-in-16.arcor-online.net Received: from mail-in-16.arcor-online.net (HELO mail-in-16.arcor-online.net) (151.189.21.56) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with (CAMELLIA256-SHA encrypted) ESMTPS; Sun, 14 Feb 2016 10:49:16 +0000 Received: from mail-in-20-z2.arcor-online.net (mail-in-20-z2.arcor-online.net [151.189.8.85]) by mx.arcor.de (Postfix) with ESMTP id 3q350S61m5zCNxD for ; Sun, 14 Feb 2016 11:49:12 +0100 (CET) Received: from mail-in-11.arcor-online.net (mail-in-11.arcor-online.net [151.189.21.51]) by mail-in-20-z2.arcor-online.net (Postfix) with ESMTP id C67BB838418 for ; Sun, 14 Feb 2016 11:49:12 +0100 (CET) X-DKIM: Sendmail DKIM Filter v2.8.2 mail-in-11.arcor-online.net 3q350S4rWSz327d Received: from Gertrud (p54B4660E.dip0.t-ipconnect.de [84.180.102.14]) (Authenticated sender: stromeko@arcor.de) by mail-in-11.arcor-online.net (Postfix) with ESMTPSA id 3q350S4rWSz327d for ; Sun, 14 Feb 2016 11:49:12 +0100 (CET) From: Achim Gratz To: cygwin@cygwin.com Subject: Re: Possible Security Hole in SSHD w/ CYGWIN? References: <019c01d163bc$fe2fc500$fa8f4f00$@comcast.net> <019e01d163c2$d678c7e0$836a57a0$@comcast.net> <023901d165e4$925507d0$b6ff1770$@comcast.net> <87d1s1c8ld.fsf@Rainer.invalid> Date: Sun, 14 Feb 2016 10:49:00 -0000 In-Reply-To: (Erik Soderquist's message of "Sat, 13 Feb 2016 19:14:06 -0500") Message-ID: <87a8n38t3r.fsf@Rainer.invalid> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.90 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-SW-Source: 2016-02/txt/msg00211.txt.bz2 Erik Soderquist writes: > I would suspect Domain Admin for the Cyg_server account is a > requirement of David's environment, which neither of us know anything > about at present. I know I've had to do things that were not "best > practice" due to corporate policy on more occasions than I care to > count. If that's the case, then security of the sshd is the least of your worries and I wouldn't install sshd at all. > Actually the Cygwin doc does include instructions for accessing > network shares when using ssh public key authentication. =E2=80=A6which boil down to the password being stored (obscured) on the mac= hine running sshd in order for sshd to obtain the necessary authentication via password-based login. > Once again, assumptions. While I can't explicitly vouch for David's > environment, as I do not have access to check, I can vouch for mine, > and mine was configured using sshd_host_config, with the only changes > after sshd_host_config being regarding TCP and X tunneling. I have to again make an assumption, namely that if cyg_server is a local account you've checked the C$ share of the same server that sshd is running on. That's bad enough, shouldn't happen and needs fixing, but at least you wouldn't be able to access any network shares from other servers that weren't otherwise accessible for everybody. Regards, Achim. --=20 +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ SD adaptations for KORG EX-800 and Poly-800MkII V0.9: http://Synth.Stromeko.net/Downloads.html#KorgSDada -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple