| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DKIM-Filter: | OpenDKIM Filter v2.11.0 sourceware.org ED572385841D |
| DKIM-Signature: | v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com; |
| s=default; t=1707254580; | |
| bh=KxBR56Plorr6phePUBKa00c64A/Y8oxhA2NbbGrbTyc=; | |
| h=Date:Subject:To:References:In-Reply-To:List-Id:List-Unsubscribe: | |
| List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: | |
| From; | |
| b=xYhTclGN4owDVIDW5KcZ02UpeTfOf1lo4HJ8epPswUgsasJ5GTqbaNatU8VI1bqMS | |
| 3Xp7LF+9lFW8y6RmY9ik21E3PmP2uUgCk1BA7g80BjBifB6JmX0iSFIdK5Kbb7M2Tz | |
| 6N2WkyQ2815F5omtuVNRrYb1T8bPDHRBBjSDKjZc= | |
| X-Original-To: | cygwin AT cygwin DOT com |
| Delivered-To: | cygwin AT cygwin DOT com |
| DMARC-Filter: | OpenDMARC Filter v1.4.2 sourceware.org 756423858C2F |
| ARC-Filter: | OpenARC Filter v1.0.0 sourceware.org 756423858C2F |
| ARC-Seal: | i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1707254559; cv=none; |
| b=UJEeaqBs4Kb3/A9qPAfnoY4q+C6N4vkdWdi7C9RvlBQkLAE0rjE+0yImfPF0yk9ziE5Wxgat4NvOvxbL9aIED27iXFkbVqchA8tx8fV8HYSULD0Ot9UeX4YHG2rbAOSWekFtg2rI7YZgBruX1tp7WiB87w7IOXcffrUKWLofCtY= | |
| ARC-Message-Signature: | i=1; a=rsa-sha256; d=sourceware.org; s=key; |
| t=1707254559; c=relaxed/simple; | |
| bh=+pheDHQBYYeVisDLne2wnEsl+kNiIGv8wKRW3efIllg=; | |
| h=Message-ID:Date:MIME-Version:Subject:To:From; | |
| b=UiTmpXOiHS88DAhnAXz3IfHgnWA35P6QV45haQPPw7JWnwIZ5ebsyZs9ae+HQJuaPP910tVdqzmnclQAyg+/O17TgqVQUAkrXgif0CM47gTtu3EhOt3LzDakV7WjnVxnalT+wrMmDhW2+LhG5Uiissj68ikjjYadXVh1rYAKNCY= | |
| ARC-Authentication-Results: | i=1; server2.sourceware.org |
| Message-ID: | <b6f5af93-a7c1-428a-b6d3-5a9baaea3608@SystematicSW.ab.ca> |
| Date: | Tue, 6 Feb 2024 14:22:34 -0700 |
| MIME-Version: | 1.0 |
| User-Agent: | Mozilla Thunderbird |
| Subject: | Re: cygsshd fails due to bad ownership or modes of /cygdrive/c/Users |
| To: | cygwin AT cygwin DOT com |
| References: | <a2df2105-31b8-425c-a963-4ea98e2f2ffa AT f-us DOT de> |
| <e10d1c13-b167-46b1-935d-edebcf307e9a AT gmx DOT net> | |
| <439a4aeb-e8f8-42c7-6c35-c303a9366368 AT cs DOT umass DOT edu> | |
| Organization: | Systematic Software |
| In-Reply-To: | <439a4aeb-e8f8-42c7-6c35-c303a9366368@cs.umass.edu> |
| X-Rspamd-Queue-Id: | 7F8B160009 |
| X-Spam-Status: | No, score=-2.2 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS, |
| KAM_SHORT, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, | |
| SPF_HELO_PASS, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE, | |
| UNPARSEABLE_RELAY autolearn=ham autolearn_force=no version=3.4.6 | |
| X-Stat-Signature: | q5epne89yxmu7ejbyxrrkeoxgtonq1c8 |
| X-Rspamd-Server: | rspamout04 |
| X-Session-Marker: | 427269616E2E496E676C69734053797374656D6174696353572E61622E6361 |
| X-Session-ID: | U2FsdGVkX19rOjVlmJeWecgsTndJl3ZtRSY4MM+HY7k= |
| X-HE-Tag: | 1707254555-936460 |
| X-HE-Meta: | U2FsdGVkX18cu1dbSs6yvDxpJDuRIxSFX6MYUJ0wHhMRQns0wtmUFivjO3qI9NWGP5839tC1Ct+ZLQ+FOh/o/LQRdf9hNWcfSWM6IQL5XrsCGeUGoHqpc1W77I64kvsofmFc4OtxO0PHfwvkF6ogNRvHFCqaD+4a8AIS8bsoMhMPKgMNBeXHWPAJ9Vn+fgZWfoq13X/XrN0EKFAsN4pDLILplY7rnwlGEK0ClHT8yaXPkWS7xmZ+WwLiO8dBh+ELS/aRnCAzmEhm9NvxCtdVqkfRhMrHwvlinLedoU0B88Vfh3m7RA+iInIsYMA+RFD2devZPrlAs9oi9XyNYg7o9HWU+KcRS5e56P58hlRb3s2hUywYUcBd9II6qVVrDJH9QJnv2CXO4pnB3gTjO9F1KOYUlu0GJRIxyTjaz9xWCs+aLq/9gGWT/2qcvkbxU4kEp3Dfeg84RIEfoCJ/V1EqXw== |
| X-Spam-Checker-Version: | SpamAssassin 3.4.6 (2021-04-09) on |
| server2.sourceware.org | |
| X-BeenThere: | cygwin AT cygwin DOT com |
| X-Mailman-Version: | 2.1.30 |
| List-Id: | General Cygwin discussions and problem reports <cygwin.cygwin.com> |
| List-Unsubscribe: | <https://cygwin.com/mailman/options/cygwin>, |
| <mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe> | |
| List-Archive: | <https://cygwin.com/pipermail/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-request AT cygwin DOT com?subject=help> |
| List-Subscribe: | <https://cygwin.com/mailman/listinfo/cygwin>, |
| <mailto:cygwin-request AT cygwin DOT com?subject=subscribe> | |
| From: | Brian Inglis via Cygwin <cygwin AT cygwin DOT com> |
| Reply-To: | cygwin AT cygwin DOT com |
| Cc: | Brian Inglis <Brian DOT Inglis AT SystematicSW DOT ab DOT ca> |
| Errors-To: | cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com |
| Sender: | "Cygwin" <cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com> |
| X-MIME-Autoconverted: | from base64 to 8bit by delorie.com id 416LN08V026711 |
On 2024-02-05 18:36, Eliot Moss via Cygwin wrote:
> On 2/5/2024 8:28 PM, Frank-Ulrich Sommer via Cygwin wrote:
>> On 05.02.2024 00:53, Frank-Ulrich Sommer via Cygwin wrote:
>>> I'm trying to run cygsshd on my PC with Windows 11 and connect from a linux
>>> machine. I have added the public key to
>>> /cygdrive/c/Users/xxx/.ssh/authorized_keys and created a symbolic link from
>>> /cygdrive/c/Users/xxx/.ssh to /home/xxx/.ssh. As usual I checked the access
>>> rights and mode of the .ssh directory (700 and belongs to user xxx) and the
>>> authorized_keys file (600 and also belongs to user xxx) and also of the home
>>> directory (had to change ownership).
Change the symlink from Cygwin home to your home, as symlinks have a+rwx perms,
so you can not use one for .ssh:
$ ln -sv `cygpath -aU "C:/Users/$USER"` /home/
>>> Now I get the following strange messages:
>>> [...]
>>> Feb 5 00:35:50 XXXXX sshd: PID 2798: debug1: temporarily_use_uid:
>>> 197609/197121 (e=18/18)
>>> Feb 5 00:35:50 XXXXX sshd: PID 2798: debug1: trying public key file
>>> /home/xxx/.ssh/authorized_keys
>>> Feb 5 00:35:50 XXXXX sshd: PID 2798: debug1: fd 5 clearing O_NONBLOCK
>>> Feb 5 00:35:50 XXXXX sshd: PID 2798: Authentication refused: bad ownership
>>> or modes for directory /cygdrive/c/Users
>>> Feb 5 00:35:50 XXXXX sshd: PID 2798: debug1: restore_uid: 18/18
>>> [...]
>>> Why is cygsshd complaining about the Windows "Users" directory and not about
>>> the directory of user xxx (/cygdrive/c/Users/xxx)? And how can I solve this?
>> Looking at the OpenSSH source code (on Github, not from Cygwin) I found a
>> function "safe_path" that checks that the ownership and access modes for all
>> path components are correct. This relies on "platform_sys_dir_uid" which
>> checks if a UID may own a system directory. The code checks for UID zero and
>> might also accept an OS specific second value (PLATFORM_SYS_DIR_UID) but for
>> Cygwin this seems not to be set. But I don't know where to find the source
>> code for the exact version that is used in Cygwin and I'm unsure about build
>> settings.
Run Cygwin setup and select package openssh Source checkbox to download the
source package, or go to your Cygwin upstream mirror and download the source
tarball shown in setup.ini prefixed with your nearest Cygwin mirror site e.g.
https://ftp.fau.de/cygwin/x86_64/release/openssh/openssh-9.6p1-1-src.tar.xz
Build settings are in the Cygwin package build control script definitions file
openssh.cygport in the source tarball or build repo:
https://cygwin.com/cgit/cygwin-packages/openssh/tree/openssh.cygport
...
--disable-strip
--with-kerberos5=/usr
--libexecdir=/usr/sbin
--with-xauth=/usr/bin/xauth
--with-libedit
--with-security-key-builtin
>> A comment defines this a safe path as follows:
>> "This is defined as all components of the path to the file must be owned by
>> either the owner of the file or root and no directories must be group or world
>> writable."
>> The "Users" directory is owned by "SYSTEM" (numeric: 18 according to stat) and
>> only writable by Administrators and SYSTEM. The mode cygwin shows for
>> /cygdrive/c/Users is 0750 which should be OK.
>> So my question is: are "Administrators" and "SYSTEM" different users and does
>> cygsshd accept SYSTEM (numeric 18) as a valid user who may own system
>> directories? If the numeric ID is really 18 I can't see how this check can
>> succeed but I'm not sure the code used in Cygwin is the same.
$ id SYSTEM
uid=18(SYSTEM) gid=18(SYSTEM) groups=544(Administrators),18(SYSTEM)
> Administrators and SYSTEM are not the same. And neither is exactly equivalent
> to the concept of root in POSIX. SYSTEM (in my experience) is used for things
> like backup tools that needs access to almost every file. Administrators is for
> system administration. I don't have deep knowledge of all of this - others can
> give a deeper / more nuanced answer.
Look at permissions at all levels:
$ lsattr -d ~/.ssh/;echo;ls -dl ~/.ssh/;echo;getfacl ~/.ssh/;\
icacls `cygpath -m ~/.ssh`
------------ /home/BWI/.ssh/
drwx------ 1 $USER None 0 Mar 8 2023 /home/$USER/.ssh/
# file: /home/$USER/.ssh/
# owner: $USER
# group: None
user::rwx
group::---
other::---
default:user::rwx
default:group::---
default:other::---
.../.ssh/ $HOST\$USER:(F)
$HOST\None:(Rc,S,RA)
Everyone:(Rc,S,RA)
CREATOR OWNER:(OI)(CI)(IO)(F)
CREATOR GROUP:(OI)(CI)(IO)(Rc,S,RA)
Everyone:(OI)(CI)(IO)(Rc,S,RA)
Successfully processed 1 files; Failed processing 0 files
Try:
# add perm query cmds for info before and after changes
$ chmod -c u+rwx,go-rwx ~/.ssh/
$ setfacl -b ~/.ssh/
$ chmod -c u+rwx,go-rwx ~/.ssh/ # same as before
then ls -l ~/.ssh/ and ensure that:
- non-key ssh files ... have u+rw-x,go-rwx perms,
- private key files id_... have u+r-wx,go-rwx perms, and
- public key files id_*.pub have a+r-wx perms.
--
Take care. Thanks, Brian Inglis Calgary, Alberta, Canada
La perfection est atteinte Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter not when there is no more to add
mais lorsqu'il n'y a plus rien à retirer but when there is no more to cut
-- Antoine de Saint-Exupéry
--
Problem reports: https://cygwin.com/problems.html
FAQ: https://cygwin.com/faq/
Documentation: https://cygwin.com/docs.html
Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |