From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 56401 invoked by alias); 14 Feb 2016 00:34:27 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 56382 invoked by uid 89); 14 Feb 2016 00:34:26 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-1.2 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=ham version=3.3.2 spammy=Hx-languages-length:1517, H*f:sk:024901d, H*i:sk:024901d, accounts X-HELO: mail-lb0-f170.google.com Received: from mail-lb0-f170.google.com (HELO mail-lb0-f170.google.com) (209.85.217.170) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with (AES128-GCM-SHA256 encrypted) ESMTPS; Sun, 14 Feb 2016 00:34:25 +0000 Received: by mail-lb0-f170.google.com with SMTP id x4so62679228lbm.0 for ; Sat, 13 Feb 2016 16:34:25 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=aKNDqBuS83QBYYb6p+SwBCw0vX5y6acy0H1tSqWcr+s=; b=CJeft9U1u6oEgFPxXjFNudrJJGK+tBmWmZG4zKMpJRfnxhtHc8O0M6ER+CHBvY3QVP F13+uICeUteHKCXvYu1CTpD01ZL20gTrnEkgOOxAR+O4mH3E8emnYW019JeT6hhKQyBV gKedLPPVU/53iyUGFqeWZ53P3Nx/hdahaU68TXqycFxulm+w2UGj527eSUWKw20X0aQR ZRz5c7+qqvBqTVcUVThPwYzZO1ND0SD7nNdggTFlfn9a3gTNjFhKWqekjToZR3aN1Mwd fAtIgNeffyNpa7mzOvKiaMhRSTsfHPb4+/7W3LdokrRc6EV1L0YylCBnZnxohHMFP27/ Slpg== X-Gm-Message-State: AG10YOTyBmzqSTJand0R03NWK969YaR2wIoMMDelUM+tJBTdZc3v4hjTGzAwSdpyVZ4rOoavRCuGVo/efhMoyA== MIME-Version: 1.0 X-Received: by 10.112.135.39 with SMTP id pp7mr3095669lbb.43.1455410062286; Sat, 13 Feb 2016 16:34:22 -0800 (PST) Received: by 10.25.86.196 with HTTP; Sat, 13 Feb 2016 16:34:22 -0800 (PST) In-Reply-To: <024901d166a3$a6930390$f3b90ab0$@comcast.net> References: <019c01d163bc$fe2fc500$fa8f4f00$@comcast.net> <019e01d163c2$d678c7e0$836a57a0$@comcast.net> <023901d165e4$925507d0$b6ff1770$@comcast.net> <87d1s1c8ld.fsf@Rainer.invalid> <024901d166a3$a6930390$f3b90ab0$@comcast.net> Date: Sun, 14 Feb 2016 00:34:00 -0000 Message-ID: Subject: Re: Possible Security Hole in SSHD w/ CYGWIN? From: Erik Soderquist To: cygwin@cygwin.com Content-Type: text/plain; charset=UTF-8 X-IsSubscribed: yes X-SW-Source: 2016-02/txt/msg00204.txt.bz2 On Sat, Feb 13, 2016 at 4:15 PM, David Willis wrote: > So you're telling me any user that logs in using key authentication cannot > access the network as the same user (i.e. this is the intended behavior)? If > that's the case wouldn't it be better not to allow network access at ALL, > rather than allowing it as the service account that sshd is running as? Responding to only this one piece at present from https://cygwin.com/cygwin-ug-net/passwd.html {{ -R, --reg-store-pwd enter password to store it in the registry for later usage by services to be able to switch to this user context with network credentials. }} {{ Don't use this feature if you don't need network access within a remote session. You can delete your stored password by using `passwd -R' and specifying an empty password. }} Since there are explicit instructions on how to store your Windows password in a way that Cygwin sshd (and other Cygwin services) can use the password for network authentication and that it says not to store the credentials if you do not need network access when authenticating via public key, I would make the logical assumptions that #1: authenticated network access is supposed to be possible inside a public key authenticated ssh session #2: without storing the password as described, I should have no network access at all, not the cyg_server account's network access (regardless of how much or little access the cyg_server account has). -- Erik -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple