From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 50493 invoked by alias); 14 Feb 2016 00:14:12 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 50477 invoked by uid 89); 14 Feb 2016 00:14:11 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-0.7 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=ham version=3.3.2 spammy=Admin, unwarranted, occasions, argued X-HELO: mail-lf0-f41.google.com Received: from mail-lf0-f41.google.com (HELO mail-lf0-f41.google.com) (209.85.215.41) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with (AES128-GCM-SHA256 encrypted) ESMTPS; Sun, 14 Feb 2016 00:14:09 +0000 Received: by mail-lf0-f41.google.com with SMTP id l143so70961224lfe.2 for ; Sat, 13 Feb 2016 16:14:09 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=m4wkA+yxtzRC6fskm/O8vFu4mIWq05Re+p1BTU1uO+Y=; b=h3nGAF4jwrfX+7odjrJGPTpkg7rPbQjkVSI+0+FcbNK7KMtdKyfGOaRXvTzqXrMmIo p6500leB6uTjJfoCguWEeuZk5q6tTsbEcHb+kV1ESmUCY0dfoFbY1sgiM6sVsGbH7GpT sU7woZiK6XSbJyPNKREju0KMFPchLbuxNhlvYU9q0ajlYNMDCr74phNGV2jIjPnM1KPq 8QWUQCGEkB1ObfEaKDc15KkVMZeuVLPAPSSCEglny2y/AyUPkOy4DyfTJXr/i0rxFSFc N1QuHTAgn886cB9t4Mgp5FIw8x7L45Qax+yaCCJDle3JPxvPOBvtzlsH0El+/84oCVlE k+uA== X-Gm-Message-State: AG10YOTwg0vB60YWjlkt+KcRKHRaMJ8lmVtlf/PTvGHpLbrjphKzt0GWYe73p4msiNrIv1gq38h90E+D7zJ6zw== MIME-Version: 1.0 X-Received: by 10.25.32.16 with SMTP id g16mr3119044lfg.82.1455408846394; Sat, 13 Feb 2016 16:14:06 -0800 (PST) Received: by 10.25.86.196 with HTTP; Sat, 13 Feb 2016 16:14:06 -0800 (PST) In-Reply-To: <87d1s1c8ld.fsf@Rainer.invalid> References: <019c01d163bc$fe2fc500$fa8f4f00$@comcast.net> <019e01d163c2$d678c7e0$836a57a0$@comcast.net> <023901d165e4$925507d0$b6ff1770$@comcast.net> <87d1s1c8ld.fsf@Rainer.invalid> Date: Sun, 14 Feb 2016 00:14:00 -0000 Message-ID: Subject: Re: Possible Security Hole in SSHD w/ CYGWIN? From: Erik Soderquist To: cygwin@cygwin.com Content-Type: text/plain; charset=UTF-8 X-IsSubscribed: yes X-SW-Source: 2016-02/txt/msg00203.txt.bz2 On Sat, Feb 13, 2016 at 3:34 AM, Achim Gratz wrote: > David Willis writes: >> I know this is a somewhat unique and I guess obscure issue, but if someone >> could please look into this - I would be very surprised if it was NOT >> reproducible following the steps below. Because if this is actually the case >> it is in fact granting permissions that it should not be granting to SSH >> users that log in using public keys. > > You still do not seem to have understood what > > https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview > > is trying to tell you. The windows box you log into _must_ have a > password for the user that logs into via SSH using one of the methods > listed there in order for the user credentials to become valid on the > network. You are making unwarranted and rather rude assumptions here; that doesn't help anyone. >> Like I said, there is no error message or anything (due to the nature of the >> issue) but the steps to reproduce are as follows: >> >> Cyg_server is the privileged account used by CYGWIN for SSH privilege >> separation, and is a DOMAIN account, and a member of DOMAIN ADMINS > > Just why do you think that cyg_server should be a domain admin? It only > needs local admin membership plus some capabilities that allow it to > create a new user token. I would suspect Domain Admin for the Cyg_server account is a requirement of David's environment, which neither of us know anything about at present. I know I've had to do things that were not "best practice" due to corporate policy on more occasions than I care to count. > Does it have those capabilities at all, i.e. what does > > editrights -lu cyg_server > > produce as output? If it doesn't have them, then it can't actually > switch the user, password or not. $ editrights -lu cyg_server SeAssignPrimaryTokenPrivilege SeCreateTokenPrivilege SeTcbPrivilege SeServiceLogonRight SeDenyRemoteInteractiveLogonRight These are the results on my host where I was able to reproduce the issue locally. >> User on the domain (a regular-privileged domain user) logs into another box >> on the domain using public key method (NOT password). He logs in as himself, >> which has regular non-admin privileges on both the client and server >> boxes. > > Unless that account can authenticate fully on that box (i.e. there's a > password), it doesn't have network access. Having a password and using that password for ssh are two very different things. In fact, in an earlier message, he explicitly stated that the user does have a password, and when logging using the password rather than the public key, he receives the expected access denied message since the user account does not have access to the share. It is only when logging into ssh via public key does he experience the issue described. >> The client box is either Linux or Windows w/ CYGWIN, but the SSH server must >> be CYGWIN. >> >> After connecting to the CYGWIN SSH server, the user CD's to a Windows server >> file share's UNC path - i.e. "cd //[SERVER]/[share]" > > This would fail if you've not set up cyg_server as a domain admin, if > you've even got that far. In fact you'd not be able to use any shares > that require authentication. Actually the Cygwin doc does include instructions for accessing network shares when using ssh public key authentication. >> Now you check Computer Management on the file server, check Shared >> Folders->Sessions, and you see that instead of the user having an open >> session, the cyg_server user has an open session (from the machine that you >> SSH'd to). >> >> The user now has access to anything that cyg_server would have access to. >> Since cyg_server is a domain admin, that would be pretty much everything >> aside from shares that are specifically locked down to certain users and not >> allowing admins. > > Don't make cyg_server a domain admin, then. Again you are making assumptions about the environment David is required to use; Domain Admin may not be optional for his environment. Yes, I have had instances where all local accounts were killed off due to corporate policy, so the only way to have local admin at all was via a Domain Admin account. (The person who wrote that policy and I argued very heatedly over it, but ultimately, it was not my decision). >> I don't know if this bug is with SSH or CYGWIN, but it only occurs on CYGWIN >> SSH servers (not Linux SSH servers, although its hard to test because when >> SSH'd into a Linux box I can't CD directly to a UNC path, I have to mount >> the share instead, and specify user credentials to do so). > > I don't know how you've arrived at the setup you just described, but > it's not the one that sshd_host_config produces. Yes, setting up an > SSHD wrongly can open up security holes, no surprise here. Once again, assumptions. While I can't explicitly vouch for David's environment, as I do not have access to check, I can vouch for mine, and mine was configured using sshd_host_config, with the only changes after sshd_host_config being regarding TCP and X tunneling. --- Erik -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple