| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:reply-to:from:to:references:in-reply-to | |
| :subject:date:message-id:mime-version:content-type | |
| :content-transfer-encoding; q=dns; s=default; b=oi3rMpcooSWDAf6j | |
| ZEBn0m963rR0ukz9D481EgRskGIZn1Z6K91yWvXZYcJAZ8pJfgKJ/i/NlLQU+ggW | |
| plYNAdEfIy7QID98hUrxfewJS8J2nJgVRYsxxdi+jHURfMMv3f7nBpmcDRUHcHZ/ | |
| 2AA2LVuk9fl+di/tHeqkw5s5y0Y= | |
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:reply-to:from:to:references:in-reply-to | |
| :subject:date:message-id:mime-version:content-type | |
| :content-transfer-encoding; s=default; bh=/RDwhB9Q7S/Ti40oa89xRf | |
| XobpA=; b=gTpEB0OEad4LlXkNTAqq7NZ0UNnfMl7zvfmuPc3LxsscNFpq9dvu9q | |
| GWumY4Qe3lbieUqVhL4wWIXyUCTLx4ApqFbE3v7E0oyGi3Y7ZkiTf37voFOnRPyB | |
| vNg/Ac1RqmLE0adbqWynn2DCJUR7ZuXRNC2fTzPBgmsz2v0Uo787U= | |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| Authentication-Results: | sourceware.org; auth=none |
| X-Virus-Found: | No |
| X-Spam-SWARE-Status: | No, score=4.7 required=5.0 tests=AWL,BAYES_50,FREEMAIL_FROM,KAM_ASCII_DIVIDERS,RCVD_IN_DNSWL_NONE,RP_MATCHES_RCVD,SPF_PASS autolearn=no version=3.3.2 spammy=thru, cygwin-ug-net, cygwinugnet, navigate |
| X-HELO: | resqmta-po-10v.sys.comcast.net |
| Reply-To: | <cygwin AT cygwin DOT com> |
| From: | "David Willis" <david_willis AT comcast DOT net> |
| To: | <cygwin AT cygwin DOT com> |
| References: | |
| In-Reply-To: | |
| Subject: | RE: Possible Security Hole in SSHD w/ CYGWIN? |
| Date: | Tue, 9 Feb 2016 07:56:15 -0800 |
| Message-ID: | <018801d16352$68a6b940$39f42bc0$@comcast.net> |
| MIME-Version: | 1.0 |
Sorry for starting a new thread w/ the reply, forgot to subscribe before posting my question yesterday... Thanks for getting back so quickly Yes, I have read that page pretty much from top to bottom, and as far as I know I have configured sshd and the user accounts correctly. I have a non-privileged, disabled account named "sshd", as well as a privileged account called "cyg_server". Privilege separation seems to be working fine - i.e. when the request for a connection comes in the process is running as "sshd", then it spawns a privileged process running as "cyg_server" once the user is authenticated. However no I am not logging in with a password; I have setup public key authentication. And the user I'm being connected as (as seen from the file share server) is not the "sshd" user account, it is the privileged "cyg_server" user account. Although that account has no rights to logon interactively or thru Terminal Services, it is a privileged account on the file server (because the file server is also running CYGWIN and thus must allow privileged rights to that account as well). I should clarify that in my case, cyg_server is a domain account (not a local account). And the way I can verify, is that I have a folder on that share that the user I am authenicating as does not have rights do view, but cyg_server does (because Administrators on that server do), and when I connect as my user via SSHD to any one of my other machines on the domain running CYGWIN, I can then navigate to and read the contents of that file share when I shouldn't be able to. If I try to do the same thing, from the same account, but on my machine locally without connecting to any other CYGWIN SSH server, I get a "Permission denied", which is what I would expect. Thank you for your help on this. David ---------------------------------------------------------------------------- -------------------------- Did you read https://cygwin.com/cygwin-ug-net/ntsec.html, configured sshd and the user accounts correctly and are logging in with a password using either of the methods described? FWIW, I'm seeing the connected user as the one that I logged into via ssh. In fact the sshd user account doesn't have any network access rights anyway, so I couldn't connect to any network share if that acount would be used. Regards, Achim. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |