From: Corinna Vinschen <corinna-cygwin@cygwin.com>
To: cygwin@cygwin.com
Subject: Re: sshd_config AllowStreamLocalForwarding perm off / effectively privsep off
Date: Mon, 7 Aug 2023 19:40:38 +0200 [thread overview]
Message-ID: <ZNEslrRdAQxRtVBD@calimero.vinschen.de> (raw)
In-Reply-To: <883e0ae2-1ac7-1474-ba06-10d9de441390@aussiebb.com.au>
On Aug 7 22:11, Shaddy Baddah via Cygwin wrote:
> Hi,
>
> For the current OpenSSH server (9.3p2), AllowStreamLocalForwarding
> defaults on. That means both local and remote unix socket port
> portforwarding are possible.
>
> For Cygwin, it appears the remote form of this is not possible. The
> following message is seen on the client-side, regardless of whether
> sshd_config explicitly defines AllowStreamLocalForwarding "on", or
> "all":
>
> |Forwarding port.
> |debug1: Remote: Server has disabled streamlocal forwarding.
>
> Finding the code around this, and a three(?) component conditional
> expression that "fails" into that message, I discovered that the
> reason it is not allowed is the following conditional:
>
> | (pw->pw_uid != 0 && !use_privsep)) {
>
> and to my surprise, after compiling a debug version of sshd to discover
> this conditional, it turns out that use_privsep is set to zero (0).
>
> I've been around the Cygwin community for many years, and I remember
> the time when ssh-host-config prompted for priv sep, and the creation
> of the "sshd" local user.
>
> I remember the transition when that prompt was removed, and reading that
> priv sep was now "on permanently".
>
> I think there is a misunderstanding here though, though I'm not 100%
> sure of my reading of the situation. It appears that though priv sep is
> on by default, for Cygwin, it is effectively off, as it cannot be
> implemented???
Privilege separation in OpenSSH consists of two independent parts, both
of which require AF_UNIX sockets.
The first part is transmission of peer credentials per the SO_PEERCRED
socket option. This was relatively easy to implement.
The other part of privilege separation requires AF_UNIX sockets to allow
sending and receiving open file descriptors via the SCM_RIGHTS ancillary
data feature. This does not work in Cygwin.
> DISABLE_FD_PASS is always set by autoconf for Cygwin. And my reading is
> that not having that capability effectively means whatever the other
> criteria, the executing process doesn't have sufficient "separation" of
> privilege to be treated in the same manner.
Yes, the parts of OpenSSH requiring descriptor passing are disabled in
OpenSSH.
> Otherwise, what's the solution?
Solution for what? What is it you want to do?
Corinna
next prev parent reply other threads:[~2023-08-07 17:40 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-07 12:11 Shaddy Baddah
2023-08-07 17:40 ` Corinna Vinschen [this message]
2023-08-07 21:46 ` Shaddy Baddah
2023-08-08 1:40 ` sshd_config AllowStreamLocalForwarding *remote not possible* " Shaddy Baddah
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZNEslrRdAQxRtVBD@calimero.vinschen.de \
--to=corinna-cygwin@cygwin.com \
--cc=cygwin@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).