Mail Archives: cygwin/2002/08/02/18:29:25
Greetings all.
I have a few issues running SSHD under cygwin.
I have got it mostly to work and it looks good, but there are at least two security issues that I am concerned about.
The first is when someone accesses my SSH server, the server sends back an environment that includes LOGONSERVER, HOMEDRIVE,
HOMEPATH, SYSTEMDRIVE, and SYSTEMROOT.
Since this is to a remote client, I do not want them to know any of the details of my server, and this lays it wide open. Is there a way to
stop these environment variables from being exported to the remote client? I am putting users in a chroot jail (more about that below) and
even though I unset these variables in the script, they still get set on the client.
Another related issue is that I have a different computer name from the name that remote clients use and wish to have the public name
sent back in the environment variables such as USERDOMAIN and HOSTNAME. Right now, I reset them to what I want in the profile I
execute as part of the chroot. Is this the only way to do it? Running cygrunsrv with -e "USERDOMAIN=publicname" has no effect, but it
works for COMPUTERNAME.
As to the chroot issue, I went with the procedure in
http://sources.redhat.com/ml/cygwin/2002-07/msg02070.html but fleshed it out
so it would work, and it does, but a disturbing issue is that when a remote client logs on, I have to have a globally accessible home
directory in my /etc/passwd file and have that directory exist. Then, the server places the client in that home directory before the script
can get control to chroot to the jail. This is a millisecond security issue but still a window.
Thanks for any assistance.
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Bug reporting: http://cygwin.com/bugs.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
- Raw text -