From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 28506 invoked by alias); 18 Feb 2016 17:10:42 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 28493 invoked by uid 89); 18 Feb 2016 17:10:41 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-0.9 required=5.0 tests=AWL,BAYES_50,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=ham version=3.3.2 spammy=Hx-languages-length:735, spilling, msg00023.html, persists X-HELO: mail-lb0-f174.google.com Received: from mail-lb0-f174.google.com (HELO mail-lb0-f174.google.com) (209.85.217.174) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with (AES128-GCM-SHA256 encrypted) ESMTPS; Thu, 18 Feb 2016 17:10:40 +0000 Received: by mail-lb0-f174.google.com with SMTP id bc4so32462083lbc.2 for ; Thu, 18 Feb 2016 09:10:39 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=OjlvKIbKYC5Uuaat+Qb0Ke0Bs1xZIUWbRsebwHaKkC4=; b=B0Zr9Mv3zWjMr3TT3a1IkbzP8bGfv5Ot45XDIqpK3EniiUU6kNaf8UYNHswTYzDxuE jyeJZw5f6grUYdJ7P8XiTGFVbLpOmSsykRBuaZlZkxPZf01KQ46noJFxk5WkOq/V4CeQ ag+3zsb1wWdJ3TkDBd+TiCirNSiME9U88FI6iHw8rdpxkJN6IZjaKKf7G84/Uo+v+cjZ zTZebtrjDXictlpT2O13ruSgBkEPe66Evk5rrKQww21PmQpajLiRciUl2ODszHcL9T0e TEQg/qb9DAQJbg39jaBfCkUUIcW88POtuaDCq3y+xPMbRD189Ets6uvDRJcE9q+0F+Do Ic1w== X-Gm-Message-State: AG10YOQP4ViRWSMHVEaM+iWYcyn2+TbndRTXsnM8d/xQ63AD7hK7oGURi7CYV0H+bS99t5/5oLDm5WPu1vfsdg== MIME-Version: 1.0 X-Received: by 10.112.151.134 with SMTP id uq6mr3117268lbb.18.1455815436959; Thu, 18 Feb 2016 09:10:36 -0800 (PST) Received: by 10.25.86.203 with HTTP; Thu, 18 Feb 2016 09:10:36 -0800 (PST) In-Reply-To: <20160218151257.GA14838@calimero.vinschen.de> References: <019e01d163c2$d678c7e0$836a57a0$@comcast.net> <023901d165e4$925507d0$b6ff1770$@comcast.net> <87d1s1c8ld.fsf@Rainer.invalid> <87a8n38t3r.fsf@Rainer.invalid> <20160215121101.GC7085@calimero.vinschen.de> <003801d1693f$6a5d71a0$3f1854e0$@comcast.net> <20160217094335.GA5722@calimero.vinschen.de> <20160218151257.GA14838@calimero.vinschen.de> Date: Thu, 18 Feb 2016 17:10:00 -0000 Message-ID: Subject: Re: Possible Security Hole in SSHD w/ CYGWIN? From: Erik Soderquist To: cygwin@cygwin.com Content-Type: text/plain; charset=UTF-8 X-IsSubscribed: yes X-SW-Source: 2016-02/txt/msg00293.txt.bz2 On Thu, Feb 18, 2016 at 10:12 AM, Corinna Vinschen wrote: > > I implemented and tested the idea and it seems to work. Note that the > underlying problem that we can't generate our own login session when using > method 1 persists. However, the new code should avoid spilling cyg_server > credentials into the user session. > > Please give the new Cygwin test release 2.5.0-0.4 > (https://cygwin.com/ml/cygwin-announce/2016-02/msg00023.html) a try. I've installed the test release and am no longer able to reproduce the issue; I get the expected "access denied" on all network shares as I should on this test account. (pub key auth, no password stored with "passwd -R") :) -- Erik -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple