Re: SSH_PRIVSEP_USER configurable at runtime?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Apr  1 10:55, Corinna Vinschen wrote:
> On Apr  1 14:46, Damien Miller wrote:
> > On Mon, 31 Mar 2014, Corinna Vinschen wrote:
> > 
> > > For instance, assuming you have a domain member machine MACH103, which
> > > is member of the domain DOM1.  Assuming the machine as well as DOM1
> > > and another dmain, DOM2, all have a user called "sshd", the automatically
> > > generated Cygwin usernames will be
> > > 
> > >   MACH103+sshd     for the local account
> > >   sshd             for the account in domain DOM1
> > >   DOM2+sshd        for the account in domain DOM2.
> > > 
> > > Additionally, the admin can decide if the domain name gets prepended
> > > every time, which results in "DOM1+sshd" as username in DOM1, and the
> > > domain separator character can be chosen freely as well, for instance
> > > a backslash (MACH103\sshd).
> > > 
> > > With domainnames being part of the username, this allows for so many
> > > variations of the actual username, that a fixed name "sshd" or just
> > > a compile time option will become a problem.
> > > 
> > > Any chance to get such a sshd_config option?
> > 
> > I'm really loathe to add an option for this. Is there any way that
> > sshd could figure out which account automatically? e.g. by having
> > ssh-host-config ensure that ${machine}/sshd exists and is appropriately
> > configured
> 
> I'm not sure I can follow.  Do you mean we should make sure that a
> machine account sshd always exists and use that?
> 
> The problem is, sshd would still call getpwent("sshd").  This would work

s/getpwent/getpwnam


> for machine accounts on non-domain machines and for primary domain
> accounts on domain member machines, but it would fail for a machine
> account on a domain member machine when using the default account naming
> rules.  And if the admin changed them to "always prepend domain name",
> there would not be a "sshd" account at all.

Corinna

-- 
Corinna Vinschen
Cygwin Maintainer
Red Hat

Attachment: pgpnq0nvx0sUa.pgp
Description: PGP signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux