Hi, I got a report on the Cygwin mailing list in terms of deprecating the privsep option. It seems one consequence is that you can't run sshd under a non-privileged account for personal use anymore: ----- Forwarded message from Lionel Fourquaux ----- > * This release deprecates the sshd_config UsePrivilegeSeparation > option, thereby making privilege separation mandatory. This has (probably not wholly intended) consequences when running sshd in single user (non root) mode: $ /usr/sbin/sshd -D -f ~/.ssh/sshd_config Privilege separation user sshd does not exist The problem is not limited to Cygwin, but is unlikely to happen in a typical Unix, since ssh is probably installed globally. If Cygwin was installed without administrative privileges, creating a dedicated sshd user would be impossible (and makes little sense if sshd runs in single user mode, anyway). I guess it would be possible to add a fake user account in /etc/passwd. Since user sshd and chroot /var/empty are not used in single user mode, it might be better to remove the check in this case: === cut after === diff --git a/sshd.c b/sshd.c index 010a2c3..4f9b2c8 100644 --- a/sshd.c +++ b/sshd.c @@ -1641,7 +1641,8 @@ main(int ac, char **av) /* Store privilege separation user for later use if required. */ if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) { - if (use_privsep || options.kerberos_authentication) + if ((use_privsep || options.kerberos_authentication) + && (getuid() == 0 || geteuid() == 0)) fatal("Privilege separation user %s does not exist", SSH_PRIVSEP_USER); } else { @@ -1767,7 +1768,7 @@ main(int ac, char **av) key_type(key)); } - if (use_privsep) { + if (use_privsep && (getuid() == 0 || geteuid() == 0)) { struct stat st; if ((stat(_PATH_PRIVSEP_CHROOT_DIR, &st) == -1) || === cut before === Best regards, -- Lionel ----- End forwarded message ----- Is there a chance this could be reenabled again? Thanks, Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev