Hello, You seem to be saying that in 7.5, sshd can no longer be run under an ordinary user account. Is that accurate? I use sshd running under a user account in Debian Jessie to allow tunnels from remote devices. That capability is crucial to my application. Any comments would be appreciated. Jack Dodds Corinna Vinschen <vinschen@xxxxxxxxxx> wrote: > Hi, > > I got a report on the Cygwin mailing list in terms of > deprecating the privsep option. It seems one consequence is > that you can't run sshd under a non-privileged account for > personal use anymore: > > ----- Forwarded message from Lionel Fourquaux ----- > > * This release deprecates the sshd_config UsePrivilegeSeparation > > option, thereby making privilege separation mandatory. > > This has (probably not wholly intended) consequences when > running sshd in single user (non root) mode: > > $ /usr/sbin/sshd -D -f ~/.ssh/sshd_config > Privilege separation user sshd does not exist > > The problem is not limited to Cygwin, but is unlikely to happen > in a typical Unix, since ssh is probably installed globally. > > If Cygwin was installed without administrative privileges, > creating a dedicated sshd user would be impossible (and makes > little sense if sshd runs in single user mode, anyway). I guess > it would be possible to add a fake user account in /etc/passwd. > > Since user sshd and chroot /var/empty are not used in single > user mode, it might be better to remove the check in this case: > > === cut after === > diff --git a/sshd.c b/sshd.c > index 010a2c3..4f9b2c8 100644 > --- a/sshd.c > +++ b/sshd.c > @@ -1641,7 +1641,8 @@ main(int ac, char **av) > > /* Store privilege separation user for later use if required. */ > if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) { > - if (use_privsep || options.kerberos_authentication) > + if ((use_privsep || options.kerberos_authentication) > + && (getuid() == 0 || geteuid() == 0)) > fatal("Privilege separation user %s does not exist", > SSH_PRIVSEP_USER); > } else { > @@ -1767,7 +1768,7 @@ main(int ac, char **av) > key_type(key)); > } > > - if (use_privsep) { > + if (use_privsep && (getuid() == 0 || geteuid() == 0)) { > struct stat st; > > if ((stat(_PATH_PRIVSEP_CHROOT_DIR, &st) == -1) || > === cut before === > > Best regards, > > -- Lionel > ----- End forwarded message ----- > > Is there a chance this could be reenabled again? > > > Thanks, > Corinna > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Attachment:
Encryption key for Jack Dodds.asc
Description: application/pgp-keys
Attachment:
signature.asc
Description: OpenPGP Digital Signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev