On Apr 2 14:44, Corinna Vinschen wrote: > On Apr 2 13:37, Peter Stuge wrote: > > Corinna Vinschen wrote: > > > On non-domain machines the account > > > name will be "sshd", not "${machine}+sshd". Except if the admin > > > specifies that the domain is always prepended, which makes it > > > "${machine}+sshd" again. And if the admin specifies the separator char > > > to be not '+' but, for instance '#', the account name will be > > > "${machine}#sshd". > > > > > > All that knowledge would have to go into sshd.c. > > > > FWIW I think this is the right solution. > > Hmm. Come to think of it, SSH_PRIVSEP_USER could be defined as a macro > calling a function which returns the username. And configure.ac could > define SSH_PRIVSEP_USER as, say, cygwin_privsep_user() by default, when > built for Cygwin so the ugly details could be hidden in bsd-cygwin_util.c. > > The Cygwin changes are still in an early stage of testing, but I'll > come back to this. Ok, after some mulling about, I prepared the below patch. What it does is this: - The default replacement string for SSH_PRIVSEP_USER in configure.ac is now CYGWIN_SSH_PRIVSEP_USER, if the target is Cygwin. This can still be overridden with --with-privsep-user=FOO. - openbsd-compat/bsd-cygwin_util.h defines CYGWIN_SSH_PRIVSEP_USER as a function call cygwin_ssh_privsep_user(). - openbsd-compat/bsd-cygwin_util.c implements cygwin_ssh_privsep_user(). The function fills a static buffer with a username fetched by calling an internal Cygwin function. The function fills the buffer with the correct username, for instance "DOMAIN+sshd". If the function fails (non-0 return value), the function falls back to the username "sshd". I just applied the required functionality to Cygwin's repository: https://cygwin.com/viewvc/src/winsup/cygwin/external.cc?r1=1.137&r2=1.138 It will show up in the next official release 1.7.30. The below patch makes sure that the code also compiles and falls back to the username "sshd", if its getting built under an older version of Cygwin. Additionally, even if built for 1.7.30 and later it will still run under an older Cygwin version. I hope that patch is ok to support the discussed account mapping functionality. I tried to implement it as non-intrusive as possible. Thanks, Corinna Index: configure.ac =================================================================== RCS file: /cvs/openssh/configure.ac,v retrieving revision 1.573 diff -u -p -r1.573 configure.ac --- configure.ac 15 May 2014 04:58:08 -0000 1.573 +++ configure.ac 15 May 2014 11:26:21 -0000 @@ -2872,7 +2872,14 @@ if test "x$PAM_MSG" = "xyes" ; then ]) fi -SSH_PRIVSEP_USER=sshd +case "$host" in +*-*-cygwin*) + SSH_PRIVSEP_USER=CYGWIN_SSH_PRIVSEP_USER + ;; +*) + SSH_PRIVSEP_USER=sshd + ;; +esac AC_ARG_WITH([privsep-user], [ --with-privsep-user=user Specify non-privileged user for privilege separation], [ @@ -2882,8 +2889,13 @@ AC_ARG_WITH([privsep-user], fi ] ) -AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], ["$SSH_PRIVSEP_USER"], - [non-privileged user for privilege separation]) +if test "x$SSH_PRIVSEP_USER" = "xCYGWIN_SSH_PRIVSEP_USER" ; then + AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], [CYGWIN_SSH_PRIVSEP_USER], + [Cygwin function to fetch non-privileged user for privilege separation]) +else + AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], ["$SSH_PRIVSEP_USER"], + [non-privileged user for privilege separation]) +fi AC_SUBST([SSH_PRIVSEP_USER]) if test "x$have_linux_no_new_privs" = "x1" ; then Index: openbsd-compat/bsd-cygwin_util.c =================================================================== RCS file: /cvs/openssh/openbsd-compat/bsd-cygwin_util.c,v retrieving revision 1.26 diff -u -p -r1.26 bsd-cygwin_util.c --- openbsd-compat/bsd-cygwin_util.c 1 Jun 2013 22:07:32 -0000 1.26 +++ openbsd-compat/bsd-cygwin_util.c 15 May 2014 11:26:22 -0000 @@ -57,6 +57,22 @@ check_ntsec(const char *filename) return (pathconf(filename, _PC_POSIX_PERMISSIONS)); } +const char * +cygwin_ssh_privsep_user() +{ + static char cyg_privsep_user[DNLEN + UNLEN + 2]; + + if (!cyg_privsep_user[0]) + { +#ifdef CW_CYGNAME_FROM_WINNAME + if (cygwin_internal (CW_CYGNAME_FROM_WINNAME, "sshd", cyg_privsep_user, + sizeof cyg_privsep_user) != 0) +#endif + strcpy (cyg_privsep_user, "sshd"); + } + return cyg_privsep_user; +} + #define NL(x) x, (sizeof (x) - 1) #define WENV_SIZ (sizeof (wenv_arr) / sizeof (wenv_arr[0])) Index: openbsd-compat/bsd-cygwin_util.h =================================================================== RCS file: /cvs/openssh/openbsd-compat/bsd-cygwin_util.h,v retrieving revision 1.17 diff -u -p -r1.17 bsd-cygwin_util.h --- openbsd-compat/bsd-cygwin_util.h 18 Jan 2014 10:04:00 -0000 1.17 +++ openbsd-compat/bsd-cygwin_util.h 15 May 2014 11:26:22 -0000 @@ -39,6 +39,8 @@ /* Avoid including windows headers. */ typedef void *HANDLE; #define INVALID_HANDLE_VALUE ((HANDLE) -1) +#define DNLEN 16 +#define UNLEN 256 /* Cygwin functions for which declarations are only available when including windows headers, so we have to define them here explicitely. */ @@ -48,6 +50,8 @@ extern void cygwin_set_impersonation_tok #include <sys/cygwin.h> #include <io.h> +#define CYGWIN_SSH_PRIVSEP_USER (cygwin_ssh_privsep_user()) +const char *cygwin_ssh_privsep_user(); int binary_open(const char *, int , ...); int check_ntsec(const char *); -- Corinna Vinschen Cygwin Maintainer Red Hat
Attachment:
pgpEPgcK1_UET.pgp
Description: PGP signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev