sshd privsep user still required?

sshd privsep user still required?

[Bill Stewart]

I installed the OpenSSH server as a service using ssh-host-config, and all
is working.

I'm running Windows 10 (1803).

I renamed the sshd privilege separation (privsep) account to something else
and restarted the sshd service.

Everything still works - no errors.

Is the sshd disabled user account still required?

Thanks,

Bill

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: sshd privsep user still required?

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 742 bytes --]

On Jan 16 15:31, Bill Stewart wrote:
> I installed the OpenSSH server as a service using ssh-host-config, and all
> is working.
> 
> I'm running Windows 10 (1803).
> 
> I renamed the sshd privilege separation (privsep) account to something else
> and restarted the sshd service.
> 
> Everything still works - no errors.
> 
> Is the sshd disabled user account still required?

No, actually it isn't.  These days the sshd server checks if the
the privsep chrrot environment should be used and that the process
is started under "root:root".  This never matches under Cygwin so
we could drop the sshd user requirement.

Patches to the installer script are very welcome.


Corinna

-- 
Corinna Vinschen
Cygwin Maintainer

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: sshd privsep user still required?

[Charles Russell]

On 1/17/2019 8:23 AM, Corinna Vinschen wrote:
> On Jan 16 15:31, Bill Stewart wrote:
>> I installed the OpenSSH server as a service using ssh-host-config, and all
>> is working.
>>
>> I'm running Windows 10 (1803).
>>
>> I renamed the sshd privilege separation (privsep) account to something else
>> and restarted the sshd service.
>>
>> Everything still works - no errors.
>>
>> Is the sshd disabled user account still required?
> 
> No, actually it isn't.  These days the sshd server checks if the
> the privsep chrrot environment should be used and that the process
> is started under "root:root".  This never matches under Cygwin so
> we could drop the sshd user requirement.
> 
> Patches to the installer script are very welcome.
> 
> 
> Corinna
> 
Can the superfluous account be deleted without having to reinstall sshd?



--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: sshd privsep user still required?

[Bill Stewart]

On Thu, 17 Jan 2019 Corinna Vinschen wrote:

> > Is the sshd disabled user account still required?
>
> No, actually it isn't.  These days the sshd server checks if the
> the privsep chrrot environment should be used and that the process
> is started under "root:root".  This never matches under Cygwin so
> we could drop the sshd user requirement.

So I was exploring using the ChrootDirectory setting in sshd_config to
configure a user as sftp only.

The following seems to work:

1) Run sshd service as SYSTEM

2) Specify SYSTEM as user 0 in /etc/passwd file; e.g.:

SYSTEM:*:0:18:U-NT AUTHORITY\SYSTEM,S-1-5-18:/var/empty:/bin/false

3) Create a local sshd user account

4) Update sshd_config settings to use something such as:

Match User sftponly
ChrootDirectory /home/%u
ForceCommand internal-sftp

This works.

If the sshd account is missing or disabled, I can't connect using the
sftponly user, so it would seem that the sshd account really is required.

I have three questions:

a) Why is it necessary to specify SYSTEM as user number 0 in the
/etc/password file?

b) Why is the sshd account required?

b) Why are /cygdrive and /dev directories visible when connecting using a
sftp client?

Thanks!

Bill

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: sshd privsep user still required?

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 1781 bytes --]

On Mar 12 16:21, Bill Stewart wrote:
> On Thu, 17 Jan 2019 Corinna Vinschen wrote:
> 
> > > Is the sshd disabled user account still required?
> >
> > No, actually it isn't.  These days the sshd server checks if the
> > the privsep chrrot environment should be used and that the process
> > is started under "root:root".  This never matches under Cygwin so
> > we could drop the sshd user requirement.
> 
> So I was exploring using the ChrootDirectory setting in sshd_config to
> configure a user as sftp only.
> 
> The following seems to work:
> 
> 1) Run sshd service as SYSTEM
> 
> 2) Specify SYSTEM as user 0 in /etc/passwd file; e.g.:
> 
> SYSTEM:*:0:18:U-NT AUTHORITY\SYSTEM,S-1-5-18:/var/empty:/bin/false
> 
> 3) Create a local sshd user account
> 
> 4) Update sshd_config settings to use something such as:
> 
> Match User sftponly
> ChrootDirectory /home/%u
> ForceCommand internal-sftp
> 
> This works.
> 
> If the sshd account is missing or disabled, I can't connect using the
> sftponly user, so it would seem that the sshd account really is required.
> 
> I have three questions:
> 
> a) Why is it necessary to specify SYSTEM as user number 0 in the
> /etc/password file?
> 
> b) Why is the sshd account required?

sshd checks for uid 0 and requires the sshd account when chroot is
requested.

> b) Why are /cygdrive and /dev directories visible when connecting using a
> sftp client?

The Cygwin chroot implementation is pure fake.  It's not backed by the
OS and it's failry easy to break out of the jail.  As such, the chroot
implementation is deprecated and only kept for backward compatibility.
I suggest not to use it.  It gives a wrong sense of security.


Corinna

-- 
Corinna Vinschen
Cygwin Maintainer

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: sshd privsep user still required?

[Bill Stewart]

On Wed, Mar 13, 2019 at 2:57 AM Corinna Vinschen wrote:

> > a) Why is it necessary to specify SYSTEM as user number 0 in the
> > /etc/password file?
> >
> > b) Why is the sshd account required?
>
> sshd checks for uid 0 and requires the sshd account when chroot is
> requested.
>
> > c) Why are /cygdrive and /dev directories visible when connecting using
a
> > sftp client?
>
> The Cygwin chroot implementation is pure fake.  It's not backed by the
> OS and it's failry easy to break out of the jail.  As such, the chroot
> implementation is deprecated and only kept for backward compatibility.
> I suggest not to use it.  It gives a wrong sense of security.

Right: I totally understand that Cygwin's chroot implementation does not
add any security (because chroot doesn't exist natively on Windows).

However: It's still the case that the user cannot bypass OS security even
if he or she "escapes" from the jail, right?

My goal is to restrict sftp browsing on the client side.

Using ChrootDirectory with "ForceCommand internal-sftp" in sshd_config
seems to accomplish this.

Is this not correct?

Bill

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: sshd privsep user still required?

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 1447 bytes --]

On Mar 13 09:11, Bill Stewart wrote:
> On Wed, Mar 13, 2019 at 2:57 AM Corinna Vinschen wrote:
> 
> > > a) Why is it necessary to specify SYSTEM as user number 0 in the
> > > /etc/password file?
> > >
> > > b) Why is the sshd account required?
> >
> > sshd checks for uid 0 and requires the sshd account when chroot is
> > requested.
> >
> > > c) Why are /cygdrive and /dev directories visible when connecting using
> a
> > > sftp client?
> >
> > The Cygwin chroot implementation is pure fake.  It's not backed by the
> > OS and it's failry easy to break out of the jail.  As such, the chroot
> > implementation is deprecated and only kept for backward compatibility.
> > I suggest not to use it.  It gives a wrong sense of security.
> 
> Right: I totally understand that Cygwin's chroot implementation does not
> add any security (because chroot doesn't exist natively on Windows).
> 
> However: It's still the case that the user cannot bypass OS security even
> if he or she "escapes" from the jail, right?
> 
> My goal is to restrict sftp browsing on the client side.
> 
> Using ChrootDirectory with "ForceCommand internal-sftp" in sshd_config
> seems to accomplish this.
> 
> Is this not correct?

It seems like it, but I wouldn't bet on it.  The fact that /cygdrive and
/dev directories are still visible inside the chroot jail speaks against
that.


Corinna

-- 
Corinna Vinschen
Cygwin Maintainer

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: sshd privsep user still required?

[Bill Stewart]

On Wed, Mar 13, 2019 at 9:29 AM Corinna Vinschen wrote:

> > However: It's still the case that the user cannot bypass OS security
even
> > if he or she "escapes" from the jail, right?
> >
> > My goal is to restrict sftp browsing on the client side.
> >
> > Using ChrootDirectory with "ForceCommand internal-sftp" in sshd_config
> > seems to accomplish this.
> >
> > Is this not correct?
>
> It seems like it, but I wouldn't bet on it.  The fact that /cygdrive and
> /dev directories are still visible inside the chroot jail speaks against
> that.

So to summarize: Even though the fake chroot doesn't increase security, it
doesn't reduce it, either.

In other words, even if the user "escapes" the jail, he or she can still
only do what the underlying OS permits.

Bill

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple