From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 2507 invoked by alias); 12 Mar 2019 22:21:57 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 2498 invoked by uid 89); 12 Mar 2019 22:21:57 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-2.5 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=ham version=3.3.1 spammy=connecting, H*c:alternative, password X-HELO: mout.gmx.com Received: from mout.gmx.com (HELO mout.gmx.com) (74.208.4.200) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Tue, 12 Mar 2019 22:21:55 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mail.com; s=dbd5af2cbaf7; t=1552429313; bh=lPWvSuwTTyPBwMsTvYW2NjcavCVCfJsBzqMhn6i0scU=; h=X-UI-Sender-Class:References:In-Reply-To:From:Date:Subject:To; b=nDyUx7KFhIJpzkmpXKi0fEqFagNnb8Tc81qgu5aZOBflVo2T3eas9gsiTzT1BAhPG edYELp5j5IU2iDsFNaqly57kJR4kkhx0S/3HtlFMEaAQfh5WU+pWSdE1Q70Euu4Hjj WEVsKLa6u2m8VgXr9cqgcJ18gFZgqiFHUgMnvWC4= X-UI-Sender-Class: 214d933f-fd2f-45c7-a636-f5d79ae31a79 Received: from mail-lj1-f178.google.com ([209.85.208.178]) by mail.gmx.com (mrgmxus001 [74.208.5.15]) with ESMTPSA (Nemesis) id 0MDyW1-1hGilT26kJ-00HLSA for ; Tue, 12 Mar 2019 23:21:52 +0100 Received: by mail-lj1-f178.google.com with SMTP id z25so3750039ljk.8 for ; Tue, 12 Mar 2019 15:21:52 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Bill Stewart Date: Tue, 12 Mar 2019 22:21:00 -0000 Message-ID: Subject: Re: sshd privsep user still required? To: cygwin@cygwin.com Content-Type: text/plain; charset="UTF-8" X-IsSubscribed: yes X-SW-Source: 2019-03/txt/msg00325.txt.bz2 On Thu, 17 Jan 2019 Corinna Vinschen wrote: > > Is the sshd disabled user account still required? > > No, actually it isn't. These days the sshd server checks if the > the privsep chrrot environment should be used and that the process > is started under "root:root". This never matches under Cygwin so > we could drop the sshd user requirement. So I was exploring using the ChrootDirectory setting in sshd_config to configure a user as sftp only. The following seems to work: 1) Run sshd service as SYSTEM 2) Specify SYSTEM as user 0 in /etc/passwd file; e.g.: SYSTEM:*:0:18:U-NT AUTHORITY\SYSTEM,S-1-5-18:/var/empty:/bin/false 3) Create a local sshd user account 4) Update sshd_config settings to use something such as: Match User sftponly ChrootDirectory /home/%u ForceCommand internal-sftp This works. If the sshd account is missing or disabled, I can't connect using the sftponly user, so it would seem that the sshd account really is required. I have three questions: a) Why is it necessary to specify SYSTEM as user number 0 in the /etc/password file? b) Why is the sshd account required? b) Why are /cygdrive and /dev directories visible when connecting using a sftp client? Thanks! Bill -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple