Re: Announce: OpenSSH 7.5 released

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hi,

I got a report on the Cygwin mailing list in terms of deprecating the
privsep option.  It seems one consequence is that you can't run sshd
under a non-privileged account for personal use anymore:

----- Forwarded message from Lionel Fourquaux -----
> * This release deprecates the sshd_config UsePrivilegeSeparation
>   option, thereby making privilege separation mandatory.

This has (probably not wholly intended) consequences when running sshd in
single user (non root) mode:

$ /usr/sbin/sshd -D -f ~/.ssh/sshd_config
Privilege separation user sshd does not exist

The problem is not limited to Cygwin, but is unlikely to happen in a typical
Unix, since ssh is probably installed globally.

If Cygwin was installed without administrative privileges, creating a
dedicated sshd user would be impossible (and makes little sense if sshd runs
in single user mode, anyway).  I guess it would be possible to add a fake
user account in /etc/passwd.

Since user sshd and chroot /var/empty are not used in single user mode, it
might be better to remove the check in this case:

=== cut after ===
diff --git a/sshd.c b/sshd.c
index 010a2c3..4f9b2c8 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1641,7 +1641,8 @@ main(int ac, char **av)

	/* Store privilege separation user for later use if required. */
	if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
-		if (use_privsep || options.kerberos_authentication)
+		if ((use_privsep || options.kerberos_authentication)
+		    && (getuid() == 0 || geteuid() == 0))
			fatal("Privilege separation user %s does not exist",
			    SSH_PRIVSEP_USER);
	} else {
@@ -1767,7 +1768,7 @@ main(int ac, char **av)
		    key_type(key));
	}

-	if (use_privsep) {
+	if (use_privsep && (getuid() == 0 || geteuid() == 0)) {
		struct stat st;

		if ((stat(_PATH_PRIVSEP_CHROOT_DIR, &st) == -1) ||
=== cut before ===

Best regards,

		-- Lionel
----- End forwarded message -----

Is there a chance this could be reenabled again?


Thanks,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

Attachment: signature.asc
Description: PGP signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux