| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DKIM-Filter: | OpenDKIM Filter v2.11.0 sourceware.org EF859385840C |
| DKIM-Signature: | v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com; |
| s=default; t=1691430075; | |
| bh=enHYOJba4G0oPBoGD4PG4lzOMLNVmS6EkTk8Bebqtj8=; | |
| h=Date:To:Subject:References:In-Reply-To:List-Id:List-Unsubscribe: | |
| List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: | |
| From; | |
| b=pO0tfqHj88T5LKMO+ZYrBLJQ5/5219rTJ0Da8disBe6oxSuAoDfEiqSY1qAke4Ii3 | |
| kEn8/0KuRFbNaorBH6RVNN9cx12PAmgj5hL8PGW0esg70tNdPsCY2Jw12ia2/3vS21 | |
| NUZNaEO8F+5daZxB8w6h6akL4xj21U4j0gfoUVS8= | |
| X-Original-To: | cygwin AT cygwin DOT com |
| Delivered-To: | cygwin AT cygwin DOT com |
| DKIM-Filter: | OpenDKIM Filter v2.11.0 sourceware.org BDE853858D28 |
| Date: | Mon, 7 Aug 2023 19:40:38 +0200 |
| To: | cygwin AT cygwin DOT com |
| Subject: | Re: sshd_config AllowStreamLocalForwarding perm off / effectively |
| privsep off | |
| Message-ID: | <ZNEslrRdAQxRtVBD@calimero.vinschen.de> |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| References: | <883e0ae2-1ac7-1474-ba06-10d9de441390 AT aussiebb DOT com DOT au> |
| MIME-Version: | 1.0 |
| In-Reply-To: | <883e0ae2-1ac7-1474-ba06-10d9de441390@aussiebb.com.au> |
| X-BeenThere: | cygwin AT cygwin DOT com |
| X-Mailman-Version: | 2.1.29 |
| List-Id: | General Cygwin discussions and problem reports <cygwin.cygwin.com> |
| List-Unsubscribe: | <https://cygwin.com/mailman/options/cygwin>, |
| <mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe> | |
| List-Archive: | <https://cygwin.com/pipermail/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-request AT cygwin DOT com?subject=help> |
| List-Subscribe: | <https://cygwin.com/mailman/listinfo/cygwin>, |
| <mailto:cygwin-request AT cygwin DOT com?subject=subscribe> | |
| From: | Corinna Vinschen via Cygwin <cygwin AT cygwin DOT com> |
| Reply-To: | cygwin AT cygwin DOT com |
| Cc: | Corinna Vinschen <corinna-cygwin AT cygwin DOT com> |
| Errors-To: | cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com |
| Sender: | "Cygwin" <cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com> |
On Aug 7 22:11, Shaddy Baddah via Cygwin wrote:
> Hi,
>
> For the current OpenSSH server (9.3p2), AllowStreamLocalForwarding
> defaults on. That means both local and remote unix socket port
> portforwarding are possible.
>
> For Cygwin, it appears the remote form of this is not possible. The
> following message is seen on the client-side, regardless of whether
> sshd_config explicitly defines AllowStreamLocalForwarding "on", or
> "all":
>
> |Forwarding port.
> |debug1: Remote: Server has disabled streamlocal forwarding.
>
> Finding the code around this, and a three(?) component conditional
> expression that "fails" into that message, I discovered that the
> reason it is not allowed is the following conditional:
>
> | (pw->pw_uid != 0 && !use_privsep)) {
>
> and to my surprise, after compiling a debug version of sshd to discover
> this conditional, it turns out that use_privsep is set to zero (0).
>
> I've been around the Cygwin community for many years, and I remember
> the time when ssh-host-config prompted for priv sep, and the creation
> of the "sshd" local user.
>
> I remember the transition when that prompt was removed, and reading that
> priv sep was now "on permanently".
>
> I think there is a misunderstanding here though, though I'm not 100%
> sure of my reading of the situation. It appears that though priv sep is
> on by default, for Cygwin, it is effectively off, as it cannot be
> implemented???
Privilege separation in OpenSSH consists of two independent parts, both
of which require AF_UNIX sockets.
The first part is transmission of peer credentials per the SO_PEERCRED
socket option. This was relatively easy to implement.
The other part of privilege separation requires AF_UNIX sockets to allow
sending and receiving open file descriptors via the SCM_RIGHTS ancillary
data feature. This does not work in Cygwin.
> DISABLE_FD_PASS is always set by autoconf for Cygwin. And my reading is
> that not having that capability effectively means whatever the other
> criteria, the executing process doesn't have sufficient "separation" of
> privilege to be treated in the same manner.
Yes, the parts of OpenSSH requiring descriptor passing are disabled in
OpenSSH.
> Otherwise, what's the solution?
Solution for what? What is it you want to do?
Corinna
--
Problem reports: https://cygwin.com/problems.html
FAQ: https://cygwin.com/faq/
Documentation: https://cygwin.com/docs.html
Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |