Ping? It would be nice if we could discuss this patch further, if it's not ok for inclusion. Thanks, Corinna On May 15 13:28, Corinna Vinschen wrote: > On Apr 2 14:44, Corinna Vinschen wrote: > > On Apr 2 13:37, Peter Stuge wrote: > > > Corinna Vinschen wrote: > > > > On non-domain machines the account > > > > name will be "sshd", not "${machine}+sshd". Except if the admin > > > > specifies that the domain is always prepended, which makes it > > > > "${machine}+sshd" again. And if the admin specifies the separator char > > > > to be not '+' but, for instance '#', the account name will be > > > > "${machine}#sshd". > > > > > > > > All that knowledge would have to go into sshd.c. > > > > > > FWIW I think this is the right solution. > > > > Hmm. Come to think of it, SSH_PRIVSEP_USER could be defined as a macro > > calling a function which returns the username. And configure.ac could > > define SSH_PRIVSEP_USER as, say, cygwin_privsep_user() by default, when > > built for Cygwin so the ugly details could be hidden in bsd-cygwin_util.c. > > > > The Cygwin changes are still in an early stage of testing, but I'll > > come back to this. > > Ok, after some mulling about, I prepared the below patch. What it does > is this: > > - The default replacement string for SSH_PRIVSEP_USER in configure.ac > is now CYGWIN_SSH_PRIVSEP_USER, if the target is Cygwin. This can > still be overridden with --with-privsep-user=FOO. > > - openbsd-compat/bsd-cygwin_util.h defines CYGWIN_SSH_PRIVSEP_USER > as a function call cygwin_ssh_privsep_user(). > > - openbsd-compat/bsd-cygwin_util.c implements cygwin_ssh_privsep_user(). > The function fills a static buffer with a username fetched by calling > an internal Cygwin function. The function fills the buffer with the > correct username, for instance "DOMAIN+sshd". If the function fails > (non-0 return value), the function falls back to the username "sshd". > > I just applied the required functionality to Cygwin's repository: > https://cygwin.com/viewvc/src/winsup/cygwin/external.cc?r1=1.137&r2=1.138 > > It will show up in the next official release 1.7.30. The below > patch makes sure that the code also compiles and falls back to the > username "sshd", if its getting built under an older version of > Cygwin. Additionally, even if built for 1.7.30 and later it will > still run under an older Cygwin version. > > I hope that patch is ok to support the discussed account mapping > functionality. I tried to implement it as non-intrusive as possible. > > > Thanks, > Corinna > > > Index: configure.ac > =================================================================== > RCS file: /cvs/openssh/configure.ac,v > retrieving revision 1.573 > diff -u -p -r1.573 configure.ac > --- configure.ac 15 May 2014 04:58:08 -0000 1.573 > +++ configure.ac 15 May 2014 11:26:21 -0000 > @@ -2872,7 +2872,14 @@ if test "x$PAM_MSG" = "xyes" ; then > ]) > fi > > -SSH_PRIVSEP_USER=sshd > +case "$host" in > +*-*-cygwin*) > + SSH_PRIVSEP_USER=CYGWIN_SSH_PRIVSEP_USER > + ;; > +*) > + SSH_PRIVSEP_USER=sshd > + ;; > +esac > AC_ARG_WITH([privsep-user], > [ --with-privsep-user=user Specify non-privileged user for privilege separation], > [ > @@ -2882,8 +2889,13 @@ AC_ARG_WITH([privsep-user], > fi > ] > ) > -AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], ["$SSH_PRIVSEP_USER"], > - [non-privileged user for privilege separation]) > +if test "x$SSH_PRIVSEP_USER" = "xCYGWIN_SSH_PRIVSEP_USER" ; then > + AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], [CYGWIN_SSH_PRIVSEP_USER], > + [Cygwin function to fetch non-privileged user for privilege separation]) > +else > + AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], ["$SSH_PRIVSEP_USER"], > + [non-privileged user for privilege separation]) > +fi > AC_SUBST([SSH_PRIVSEP_USER]) > > if test "x$have_linux_no_new_privs" = "x1" ; then > Index: openbsd-compat/bsd-cygwin_util.c > =================================================================== > RCS file: /cvs/openssh/openbsd-compat/bsd-cygwin_util.c,v > retrieving revision 1.26 > diff -u -p -r1.26 bsd-cygwin_util.c > --- openbsd-compat/bsd-cygwin_util.c 1 Jun 2013 22:07:32 -0000 1.26 > +++ openbsd-compat/bsd-cygwin_util.c 15 May 2014 11:26:22 -0000 > @@ -57,6 +57,22 @@ check_ntsec(const char *filename) > return (pathconf(filename, _PC_POSIX_PERMISSIONS)); > } > > +const char * > +cygwin_ssh_privsep_user() > +{ > + static char cyg_privsep_user[DNLEN + UNLEN + 2]; > + > + if (!cyg_privsep_user[0]) > + { > +#ifdef CW_CYGNAME_FROM_WINNAME > + if (cygwin_internal (CW_CYGNAME_FROM_WINNAME, "sshd", cyg_privsep_user, > + sizeof cyg_privsep_user) != 0) > +#endif > + strcpy (cyg_privsep_user, "sshd"); > + } > + return cyg_privsep_user; > +} > + > #define NL(x) x, (sizeof (x) - 1) > #define WENV_SIZ (sizeof (wenv_arr) / sizeof (wenv_arr[0])) > > Index: openbsd-compat/bsd-cygwin_util.h > =================================================================== > RCS file: /cvs/openssh/openbsd-compat/bsd-cygwin_util.h,v > retrieving revision 1.17 > diff -u -p -r1.17 bsd-cygwin_util.h > --- openbsd-compat/bsd-cygwin_util.h 18 Jan 2014 10:04:00 -0000 1.17 > +++ openbsd-compat/bsd-cygwin_util.h 15 May 2014 11:26:22 -0000 > @@ -39,6 +39,8 @@ > /* Avoid including windows headers. */ > typedef void *HANDLE; > #define INVALID_HANDLE_VALUE ((HANDLE) -1) > +#define DNLEN 16 > +#define UNLEN 256 > > /* Cygwin functions for which declarations are only available when including > windows headers, so we have to define them here explicitely. */ > @@ -48,6 +50,8 @@ extern void cygwin_set_impersonation_tok > #include <sys/cygwin.h> > #include <io.h> > > +#define CYGWIN_SSH_PRIVSEP_USER (cygwin_ssh_privsep_user()) > +const char *cygwin_ssh_privsep_user(); > > int binary_open(const char *, int , ...); > int check_ntsec(const char *); > > > -- > Corinna Vinschen > Cygwin Maintainer > Red Hat > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev -- Corinna Vinschen Cygwin Maintainer Red Hat
Attachment:
pgpu8_txPZF3t.pgp
Description: PGP signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev