On Mar 14 21:40, Damien Miller wrote: > Hi, > > OpenSSH 7.5p1 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a bugfix release. > [...] > Potentially-incompatible changes > ================================ > > This release includes a number of changes that may affect existing > configurations: > > * This release deprecates the sshd_config UsePrivilegeSeparation > option, thereby making privilege separation mandatory. Privilege > separation has been on by default for almost 15 years. Today's code from the git repo with UsePrivilegeSeparation option removed tested on Cygwin. It compiles OOTB and the testsuite runs successfully. However, the removal of UsePrivilegeSeparation requires a patch to Cygwin's ssh-host-config script. Patch attached. Thanks, Corinna -- Corinna Vinschen Cygwin Maintainer Red Hat
From beb8cf663a6a9183c82c7a78c62ee17512e02184 Mon Sep 17 00:00:00 2001 From: Corinna Vinschen <vinschen@xxxxxxxxxx> Date: Wed, 15 Mar 2017 11:10:23 +0100 Subject: [PATCH] Remove handling of deprecated UsePrivilegeSeparation from Cygwin install script Signed-off-by: Corinna Vinschen <vinschen@xxxxxxxxxx> --- contrib/cygwin/ssh-host-config | 43 +++++++++--------------------------------- 1 file changed, 9 insertions(+), 34 deletions(-) diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config index d934d09..db6aaa0 100644 --- a/contrib/cygwin/ssh-host-config +++ b/contrib/cygwin/ssh-host-config @@ -63,7 +63,6 @@ sshd_config_configured=no port_number=22 service_name=sshd strictmodes=yes -privsep_used=yes cygwin_value="" user_account= password_value= @@ -140,33 +139,21 @@ sshd_strictmodes() { # ====================================================================== # Routine: sshd_privsep -# MODIFIES: privsep_used +# Try to create ssshd user account # ====================================================================== sshd_privsep() { local ret=0 if [ "${sshd_config_configured}" != "yes" ] then - echo - csih_inform "Privilege separation is set to 'sandbox' by default since" - csih_inform "OpenSSH 6.1. This is unsupported by Cygwin and has to be set" - csih_inform "to 'yes' or 'no'." - csih_inform "However, using privilege separation requires a non-privileged account" - csih_inform "called 'sshd'." - csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep." - if csih_request "Should privilege separation be used?" + if ! csih_create_unprivileged_user sshd then - privsep_used=yes - if ! csih_create_unprivileged_user sshd - then - csih_error_recoverable "Couldn't create user 'sshd'!" - csih_error_recoverable "Privilege separation set to 'no' again!" - csih_error_recoverable "Check your ${SYSCONFDIR}/sshd_config file!" - let ++ret - privsep_used=no - fi - else - privsep_used=no + csih_error_recoverable "Could not create user 'sshd'!" + csih_error_recoverable "You will not be able to run an sshd service" + csih_error_recoverable "under a privileged account successfully." + csih_error_recoverable "Make sure to create a non-privileged user 'sshd'" + csih_error_recoverable "manually before trying to run the service!" + let ++ret fi fi return $ret @@ -202,18 +189,6 @@ sshd_config_tweak() { let ++ret fi fi - if [ "${sshd_config_configured}" != "yes" ] - then - /usr/bin/sed -i -e " - s/^#\?UsePrivilegeSeparation .*/UsePrivilegeSeparation ${privsep_used}/" \ - ${SYSCONFDIR}/sshd_config - if [ $? -ne 0 ] - then - csih_warning "Setting privilege separation failed!" - csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" - let ++ret - fi - fi return $ret } # --- End of sshd_config_tweak --- # @@ -693,7 +668,7 @@ then fi fi -# handle sshd_config (and privsep) +# handle sshd_config csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt if ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 then -- 2.9.3
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev