Mail Archives: cygwin/2016/02/14/05:50:02

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2016/02/14/05:50:02

X-Recipient: archive-cygwin AT delorie DOT com

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:from:to:subject:references:date:in-reply-to

:message-id:mime-version:content-type:content-transfer-encoding;

q=dns; s=default; b=IjU+dwTV9t2TAm64UWhiRTyjPFIHSYGiGaBJKObhtXh

0bECiYa8wyOALb0iyskl6uBr23UXIAS4twk54l76r8ujfITG+W0a+R5MjG5UGI9S

LOmn/GeJr0K8pQ+rS8VfGAfCxwiy5aL9TE1eMvcwsNQj64P7LQ1LXFkd+VZFjdv8

=

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:from:to:subject:references:date:in-reply-to

:message-id:mime-version:content-type:content-transfer-encoding;

s=default; bh=0FIvF4xm1l00S2vwD+6H1GNF4Lc=; b=lW5gKQtkq1Lb1TOxg

BbElopBFD/P+ZZD9dWlbn+5f8fDpKAbykfaVxQUqS9RV9y8eQPE38jryGDP2Rvg9

7t26+ATSYgF+aI8Qx1YEwwOuHJ7wmzRHfTUm4yANo8MTwF5TznU6dNX2+cidp9yt

+8tCEhA2lfb7we7IcZMIUsPPsA=

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

Authentication-Results: sourceware.org; auth=none

X-Virus-Found: No

X-Spam-SWARE-Status: No, score=-2.1 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=ham version=3.3.2 spammy=boil, H*i:sk:CACoZoo, H*f:sk:Br5xYFv, H*f:Wh9a8CDvyUHpqj5

X-HELO: mail-in-16.arcor-online.net

X-DKIM: Sendmail DKIM Filter v2.8.2 mail-in-11.arcor-online.net 3q350S4rWSz327d

From: Achim Gratz <Stromeko AT nexgo DOT de>

To: cygwin AT cygwin DOT com

Subject: Re: Possible Security Hole in SSHD w/ CYGWIN?

References: <019c01d163bc$fe2fc500$fa8f4f00$@comcast.net> <CANnLRdhVrFcveO_jKb3_x=44WMJNO33DPnsJZ12Wus3U7Wo_fQ AT mail DOT gmail DOT com> <019e01d163c2$d678c7e0$836a57a0$@comcast.net> <023901d165e4$925507d0$b6ff1770$@comcast.net> <87d1s1c8ld DOT fsf AT Rainer DOT invalid> <CACoZoo3R4CDcgTMMex9QZ=Wh9a8CDvyUHpqj5+Br5xYFvGHvuQ AT mail DOT gmail DOT com>

Date: Sun, 14 Feb 2016 11:49:12 +0100

In-Reply-To: <CACoZoo3R4CDcgTMMex9QZ=Wh9a8CDvyUHpqj5+Br5xYFvGHvuQ@mail.gmail.com> (Erik Soderquist's message of "Sat, 13 Feb 2016 19:14:06 -0500")

Message-ID: <87a8n38t3r.fsf@Rainer.invalid>

User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.90 (gnu/linux)

MIME-Version: 1.0

X-MIME-Autoconverted: from quoted-printable to 8bit by delorie.com id u1EAnw4O022762

Erik Soderquist writes:
> I would suspect Domain Admin for the Cyg_server account is a
> requirement of David's environment, which neither of us know anything
> about at present.  I know I've had to do things that were not "best
> practice" due to corporate policy on more occasions than I care to
> count.

If that's the case, then security of the sshd is the least of your
worries and I wouldn't install sshd at all.

> Actually the Cygwin doc does include instructions for accessing
> network shares when using ssh public key authentication.

â€¦which boil down to the password being stored (obscured) on the machine
running sshd in order for sshd to obtain the necessary authentication
via password-based login.

> Once again, assumptions.  While I can't explicitly vouch for David's
> environment, as I do not have access to check, I can vouch for mine,
> and mine was configured using sshd_host_config, with the only changes
> after sshd_host_config being regarding TCP and X tunneling.

I have to again make an assumption, namely that if cyg_server is a local
account you've checked the C$ share of the same server that sshd is
running on.  That's bad enough, shouldn't happen and needs fixing, but
at least you wouldn't be able to access any network shares from other
servers that weren't otherwise accessible for everybody.

Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

SD adaptations for KORG EX-800 and Poly-800MkII V0.9:
http://Synth.Stromeko.net/Downloads.html#KorgSDada

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:from:to:subject:references:date:in-reply-to
	:message-id:mime-version:content-type:content-transfer-encoding;
	q=dns; s=default; b=IjU+dwTV9t2TAm64UWhiRTyjPFIHSYGiGaBJKObhtXh
	0bECiYa8wyOALb0iyskl6uBr23UXIAS4twk54l76r8ujfITG+W0a+R5MjG5UGI9S
	LOmn/GeJr0K8pQ+rS8VfGAfCxwiy5aL9TE1eMvcwsNQj64P7LQ1LXFkd+VZFjdv8
	=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:from:to:subject:references:date:in-reply-to
	:message-id:mime-version:content-type:content-transfer-encoding;
	s=default; bh=0FIvF4xm1l00S2vwD+6H1GNF4Lc=; b=lW5gKQtkq1Lb1TOxg
	BbElopBFD/P+ZZD9dWlbn+5f8fDpKAbykfaVxQUqS9RV9y8eQPE38jryGDP2Rvg9
	7t26+ATSYgF+aI8Qx1YEwwOuHJ7wmzRHfTUm4yANo8MTwF5TznU6dNX2+cidp9yt
	+8tCEhA2lfb7we7IcZMIUsPPsA=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Authentication-Results:	sourceware.org; auth=none
X-Virus-Found:	No
X-Spam-SWARE-Status:	No, score=-2.1 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=ham version=3.3.2 spammy=boil, Hi:sk:CACoZoo, Hf:sk:Br5xYFv, H*f:Wh9a8CDvyUHpqj5
X-HELO:	mail-in-16.arcor-online.net
X-DKIM:	Sendmail DKIM Filter v2.8.2 mail-in-11.arcor-online.net 3q350S4rWSz327d
From:	Achim Gratz <Stromeko AT nexgo DOT de>
To:	cygwin AT cygwin DOT com
Subject:	Re: Possible Security Hole in SSHD w/ CYGWIN?
References:	<019c01d163bc$fe2fc500$fa8f4f00$@comcast.net> <CANnLRdhVrFcveO_jKb3_x=44WMJNO33DPnsJZ12Wus3U7Wo_fQ AT mail DOT gmail DOT com> <019e01d163c2$d678c7e0$836a57a0$@comcast.net> <023901d165e4$925507d0$b6ff1770$@comcast.net> <87d1s1c8ld DOT fsf AT Rainer DOT invalid> <CACoZoo3R4CDcgTMMex9QZ=Wh9a8CDvyUHpqj5+Br5xYFvGHvuQ AT mail DOT gmail DOT com>
Date:	Sun, 14 Feb 2016 11:49:12 +0100
In-Reply-To:	<CACoZoo3R4CDcgTMMex9QZ=Wh9a8CDvyUHpqj5+Br5xYFvGHvuQ@mail.gmail.com> (Erik Soderquist's message of "Sat, 13 Feb 2016 19:14:06 -0500")
Message-ID:	<87a8n38t3r.fsf@Rainer.invalid>
User-Agent:	Gnus/5.13 (Gnus v5.13) Emacs/25.0.90 (gnu/linux)
MIME-Version:	1.0
X-MIME-Autoconverted:	from quoted-printable to 8bit by delorie.com id u1EAnw4O022762