X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:references:in-reply-to:from:date
	:message-id:subject:to:content-type; q=dns; s=default; b=lDjus6/
	mx+468piqdIDFDDsG176Bvt9v/5G/TZclhIkd8dfGlQUYakwyJQNrFAgcRUE3V07
	2pXUIqPGdH1YCfOOpATX+BLGmPdVNOZ229FRws0CeTl/0X1lUyn+Es4TIA2AuxK3
	Ro7eD/PvQ72CjEimFy8X+Keclra1E5XdZkho=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:references:in-reply-to:from:date
	:message-id:subject:to:content-type; s=default; bh=ocJyV2BqSyAoj
	7rTP8qK7vMJ+n4=; b=nppBpKo+0CiqJz/VGdFN0TtIDMzj52dQlFqeS3aL10MF5
	8puA/UDR5oKRw5UTbfUD5KpT0xO+rrvMyloV2DK1GO/6UGNskw6KJ4VkUOHoViay
	pV+KEnZkuxLkLFKC2q7lYPFXBdz7oFuDdilXD9YsGmvj/y0zDsyYWUpwbPq0r0=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Authentication-Results:	sourceware.org; auth=none
X-Spam-SWARE-Status:	No, score=-2.5 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=ham version=3.3.1 spammy=connecting, H*c:alternative, password
X-HELO:	mout.gmx.com
DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/simple; d=mail.com; s=dbd5af2cbaf7; t=1552429313; bh=lPWvSuwTTyPBwMsTvYW2NjcavCVCfJsBzqMhn6i0scU=; h=X-UI-Sender-Class:References:In-Reply-To:From:Date:Subject:To; b=nDyUx7KFhIJpzkmpXKi0fEqFagNnb8Tc81qgu5aZOBflVo2T3eas9gsiTzT1BAhPG edYELp5j5IU2iDsFNaqly57kJR4kkhx0S/3HtlFMEaAQfh5WU+pWSdE1Q70Euu4Hjj WEVsKLa6u2m8VgXr9cqgcJ18gFZgqiFHUgMnvWC4=
X-UI-Sender-Class:	214d933f-fd2f-45c7-a636-f5d79ae31a79
MIME-Version:	1.0
References:	<CANV9t=S6LFnDSKiJsL3GpjLNC+srJCAgkScZTiG0yAbxq3b40A AT mail DOT gmail DOT com>
In-Reply-To:	<CANV9t=S6LFnDSKiJsL3GpjLNC+srJCAgkScZTiG0yAbxq3b40A@mail.gmail.com>
From:	Bill Stewart <bstewart AT iname DOT com>
Date:	Tue, 12 Mar 2019 16:21:23 -0600
Message-ID:	<CANV9t=SWJ_65Y7jgqgDzNkaUPh1YCHfibp6vb+tmvg-wKtPLyQ@mail.gmail.com>
Subject:	Re: sshd privsep user still required?
To:	cygwin AT cygwin DOT com
X-IsSubscribed:	yes

On Thu, 17 Jan 2019 Corinna Vinschen wrote:

> > Is the sshd disabled user account still required?
>
> No, actually it isn't.  These days the sshd server checks if the
> the privsep chrrot environment should be used and that the process
> is started under "root:root".  This never matches under Cygwin so
> we could drop the sshd user requirement.

So I was exploring using the ChrootDirectory setting in sshd_config to
configure a user as sftp only.

The following seems to work:

1) Run sshd service as SYSTEM

2) Specify SYSTEM as user 0 in /etc/passwd file; e.g.:

SYSTEM:*:0:18:U-NT AUTHORITY\SYSTEM,S-1-5-18:/var/empty:/bin/false

3) Create a local sshd user account

4) Update sshd_config settings to use something such as:

Match User sftponly
ChrootDirectory /home/%u
ForceCommand internal-sftp

This works.

If the sshd account is missing or disabled, I can't connect using the
sftponly user, so it would seem that the sshd account really is required.

I have three questions:

a) Why is it necessary to specify SYSTEM as user number 0 in the
/etc/password file?

b) Why is the sshd account required?

b) Why are /cygdrive and /dev directories visible when connecting using a
sftp client?

Thanks!

Bill

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -