SSH_PRIVSEP_USER configurable at runtime?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hi,


Right now, the unprivileged account for privilege separation is only
configurable at compile time (SSH_PRIVSEP_USER).  I'd like to ask if it
would be acceptable to have the account runtime configurable by adding
something like

  PrivilegeSeparationAccount foo

to sshd_config.

The reason I'm asking is this.  I'm working on a long overdue change to
Cygwin which is supposed to get rid of the /etc/passwd and /etc/group
files.  Rather, the Windows account databases (SAM and AD)are asked
directly for account information, and UID/GID values as well as
usernames are dynamic.

For instance, assuming you have a domain member machine MACH103, which
is member of the domain DOM1.  Assuming the machine as well as DOM1
and another dmain, DOM2, all have a user called "sshd", the automatically
generated Cygwin usernames will be

  MACH103+sshd     for the local account
  sshd             for the account in domain DOM1
  DOM2+sshd        for the account in domain DOM2.

Additionally, the admin can decide if the domain name gets prepended
every time, which results in "DOM1+sshd" as username in DOM1, and the
domain separator character can be chosen freely as well, for instance
a backslash (MACH103\sshd).

With domainnames being part of the username, this allows for so many
variations of the actual username, that a fixed name "sshd" or just
a compile time option will become a problem.

Any chance to get such a sshd_config option?


Thanks,
Corinna

-- 
Corinna Vinschen
Cygwin Maintainer
Red Hat

Attachment: pgpK3gBKLFZ8n.pgp
Description: PGP signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux