Hi, Right now, the unprivileged account for privilege separation is only configurable at compile time (SSH_PRIVSEP_USER). I'd like to ask if it would be acceptable to have the account runtime configurable by adding something like PrivilegeSeparationAccount foo to sshd_config. The reason I'm asking is this. I'm working on a long overdue change to Cygwin which is supposed to get rid of the /etc/passwd and /etc/group files. Rather, the Windows account databases (SAM and AD)are asked directly for account information, and UID/GID values as well as usernames are dynamic. For instance, assuming you have a domain member machine MACH103, which is member of the domain DOM1. Assuming the machine as well as DOM1 and another dmain, DOM2, all have a user called "sshd", the automatically generated Cygwin usernames will be MACH103+sshd for the local account sshd for the account in domain DOM1 DOM2+sshd for the account in domain DOM2. Additionally, the admin can decide if the domain name gets prepended every time, which results in "DOM1+sshd" as username in DOM1, and the domain separator character can be chosen freely as well, for instance a backslash (MACH103\sshd). With domainnames being part of the username, this allows for so many variations of the actual username, that a fixed name "sshd" or just a compile time option will become a problem. Any chance to get such a sshd_config option? Thanks, Corinna -- Corinna Vinschen Cygwin Maintainer Red Hat
Attachment:
pgpK3gBKLFZ8n.pgp
Description: PGP signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev