| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DKIM-Filter: | OpenDKIM Filter v2.11.0 sourceware.org 89CBB3854BEC |
| DKIM-Signature: | v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com; |
| s=default; t=1691410303; | |
| bh=iJGBTEWh2VMHidHTQifnL3JZ0Cr+3BInAQM+DpW7Kiw=; | |
| h=Date:To:Subject:List-Id:List-Unsubscribe:List-Archive:List-Post: | |
| List-Help:List-Subscribe:From:Reply-To:From; | |
| b=LL6KwYc8KZ9Ah9rEqtnzfzzs496pnr5ykUat0rHqktB2piaObtXMUWAn9YdPWzowi | |
| aPAPYm5EvAMLj7QU4AHA0OQ/xzMX82uirrSqB+RyGcLIr0V2YJm5xHyjouRw3Ip08o | |
| 1f/gBdWnyGhZAyL1cOZ4foBdJ6QuEUYOE1P5anss= | |
| X-Original-To: | cygwin AT cygwin DOT com |
| Delivered-To: | cygwin AT cygwin DOT com |
| DMARC-Filter: | OpenDMARC Filter v1.4.2 sourceware.org 9FB223858418 |
| X-Virus-Scanned: | Debian amavisd-new at smtp02.aussiebb.com.au |
| X-Spam-Checker-Version: | SpamAssassin 3.4.6 (2021-04-09) on |
| server2.sourceware.org | |
| X-Spam-Level: | |
| X-Spam-Status: | No, score=-2.3 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS, |
| SPF_HELO_NONE, SPF_SOFTFAIL, | |
| TXREP autolearn=no autolearn_force=no version=3.4.6 | |
| Message-ID: | <883e0ae2-1ac7-1474-ba06-10d9de441390@aussiebb.com.au> |
| Date: | Mon, 7 Aug 2023 22:11:18 +1000 |
| MIME-Version: | 1.0 |
| User-Agent: | Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 |
| Thunderbird/102.13.0 | |
| To: | cygwin AT cygwin DOT com |
| Subject: | sshd_config AllowStreamLocalForwarding perm off / effectively privsep |
| off | |
| X-BeenThere: | cygwin AT cygwin DOT com |
| X-Mailman-Version: | 2.1.29 |
| List-Id: | General Cygwin discussions and problem reports <cygwin.cygwin.com> |
| List-Archive: | <https://cygwin.com/pipermail/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-request AT cygwin DOT com?subject=help> |
| List-Subscribe: | <https://cygwin.com/mailman/listinfo/cygwin>, |
| <mailto:cygwin-request AT cygwin DOT com?subject=subscribe> | |
| From: | Shaddy Baddah via Cygwin <cygwin AT cygwin DOT com> |
| Reply-To: | Shaddy Baddah <lithium-cygwin AT shaddybaddah DOT name> |
| Sender: | "Cygwin" <cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com> |
Hi,
For the current OpenSSH server (9.3p2), AllowStreamLocalForwarding
defaults on. That means both local and remote unix socket port
portforwarding are possible.
For Cygwin, it appears the remote form of this is not possible. The
following message is seen on the client-side, regardless of whether
sshd_config explicitly defines AllowStreamLocalForwarding "on", or
"all":
|Forwarding port.
|debug1: Remote: Server has disabled streamlocal forwarding.
Finding the code around this, and a three(?) component conditional
expression that "fails" into that message, I discovered that the
reason it is not allowed is the following conditional:
| (pw->pw_uid != 0 && !use_privsep)) {
and to my surprise, after compiling a debug version of sshd to discover
this conditional, it turns out that use_privsep is set to zero (0).
I've been around the Cygwin community for many years, and I remember
the time when ssh-host-config prompted for priv sep, and the creation
of the "sshd" local user.
I remember the transition when that prompt was removed, and reading that
priv sep was now "on permanently".
I think there is a misunderstanding here though, though I'm not 100%
sure of my reading of the situation. It appears that though priv sep is
on by default, for Cygwin, it is effectively off, as it cannot be
implemented???
Because this bit of code from sshd.c suggests if DISABLE_FD_PASS is set,
then use_privsep needs to be set to false:
|#ifdef DISABLE_FD_PASSING
| if (1) {
|#else
| if (authctxt->pw->pw_uid == 0) {
|#endif
| /* File descriptor passing is broken or root login */
| use_privsep = 0;
| goto skip;
DISABLE_FD_PASS is always set by autoconf for Cygwin. And my reading is
that not having that capability effectively means whatever the other
criteria, the executing process doesn't have sufficient "separation" of
privilege to be treated in the same manner.
Otherwise, what's the solution? Because the reason for the earlier guard
(the disallowal of streamlocal) was a fix for a CVE from very long ago,
that allowed unix-sockets to be created on the server as
"root"/privileged user.
--
Regards,
Shaddy
--
Problem reports: https://cygwin.com/problems.html
FAQ: https://cygwin.com/faq/
Documentation: https://cygwin.com/docs.html
Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |