| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| X-Spam-Check-By: | sourceware.org |
| From: | Bart Grantham <bg AT logicworks DOT net> |
| To: | "'cygwin AT cygwin DOT com'" <cygwin AT cygwin DOT com> |
| Date: | Wed, 5 Sep 2007 23:01:46 -0400 |
| Subject: | sshd user switching (keywords: whoami sshd_server public-key host-based) |
| Message-ID: | <82DA1BC8E3377840AAC2B22ACFAB1EE402E52243E1@exchange3.corp.logicworks.net> |
| Accept-Language: | en-US |
| acceptlanguage: | en-US |
| MIME-Version: | 1.0 |
| X-IsSubscribed: | yes |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| X-MIME-Autoconverted: | from quoted-printable to 8bit by delorie.com id l86320eU012349 |
I've looked through the mailing list and I've seen some discussion about this, but most of the threads were pretty old and none of them really addressed the exact problem I'm seeing. I have sshd up and running on a Windows 2003 server with public-key auth working. The setup was smooth as silk and completely painless. Very impressive, the maintainers should be quite proud. So the only snag I have left is that when I try to kick off a script/program via an ssh "one-liner" the authentication doesn't work the way I expect. If I log in to a shell "whoami" returns to correct answer. If I "ssh user AT server whoami", I get the sshd_server user: ======= [root AT dosas ~]# ssh ADAdministrator AT kazzak DOT ad DOT logicworks DOT net Last login: Wed Aug 22 20:14:51 2007 from 172.16.3.22 Fanfare!!! You are successfully logged in to this server!!! ADAdministrator AT kazzak ~ $ whoami ADAdministrator ADAdministrator AT kazzak ~ $ logout Connection to kazzak.ad.logicworks.net closed. [root AT dosas ~]# ssh ADAdministrator AT kazzak DOT ad DOT logicworks DOT net whoami kazzak\sshd_server ======= I am making an educated guess here in that the former instance the sshd_server is kicking off the user's shell as the user (that's where Privilege Escalation comes into play?), but in the latter case it just executes the script/program directly. If so, doesn't this represent a pretty serious security problem (ie. any user could run any program as the sshd_server user)? If this isn't a default security problem and is merely a configuration issue, does anyone have any suggestions as to how to fix it? Or if I'm stuck with this, are there any clever workarounds? Thanks in advance for the help. BG -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |