DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:reply-to:subject:references:to:from:message-id
	:date:mime-version:in-reply-to:content-type
	:content-transfer-encoding; q=dns; s=default; b=mDzsZW9nHtQKiYHx
	ZD3vcz0t7/25P8p47p5yy6CnjIxreQnJbLGXDamIh8c2Q8Sy9xRsu3/FHc9bcmRa
	DcdnDc9r9/KQM9CpooFZlPdQwk61kyWXqj99fF6EroO7lo0D9TFP5BrKkoNihDr5
	Vr9K8/h+wXbfjNx1Lfdd4CvS6RU=
Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm
Sender: cygwin-owner@cygwin.com
Mail-Followup-To: cygwin@cygwin.com
Reply-To: cygwin@cygwin.com
Subject: Re: openssh: privilege separation no longer supported on Cygwin? SURPRISE!
References: <d436698bbd53eef3cbdda788d4926109@xs4all.nl> <37b863f6-ce5c-ef13-569f-8044fe485075@gmail.com> <20e2702ca3837f5d54c558f8e786c717@xs4all.nl> <b16023ad6735108510ae351a8378a420@xs4all.nl> <262615c8cf6e134cedf97b0280c4a68f@smtp-cloud2.xs4all.net>
To: cygwin@cygwin.com
From: "Larry Hall (Cygwin)" <reply-to-list-only-lh@cygwin.com>
Message-ID: <592E1C49.6020202@cygwin.com>
Date: Tue, 30 May 2017 21:28:41 -0400
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:38.0) Gecko/20100101 Thunderbird/38.1.0
MIME-Version: 1.0
In-Reply-To: <262615c8cf6e134cedf97b0280c4a68f@smtp-cloud2.xs4all.net>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit

On 05/30/2017 09:50 AM, Houder wrote:
> On Mon, 29 May 2017 19:14:30, Houder wrote:
>
> [snip]
>> As if the "sshd" account is NEVER, NEVER used during the _whole_ process
>> (that is, there is NO privilege separation, as far as I can tell).
>
> .. wanted to share this experience with you.
>
>   - deleted user/account 'sshd' # net user sshd /delete
>   - modified the last part (rid?) of the sid belonging to user/account 'sshd'
>     in xxxx (in /etc/passwd)
>   - rebooted
>
> Before reboot, I changed 'sshd' in an automatic service (was: manual)
>
> After the system had rebooted:
>
>   - 'cygrunsrv -Q sshd' shows 'sshd' running ...
>   - 'tail -f /var/log/sshd.log' shows 'sshd' listening ...
>   - 'net user' shows user/account 'sshd' gone ...
>
> I can still use ssh ... (both password authentication and key authentication)
>
> Yes, if I remove user/account 'sshd' completely from /etc/passwd, only
> then 'sshd' won't start ...

Cygwin's link to the Windows user ID is through the UID/SID mapping.  In
your case, you're apparently using /etc/passwd and so that's where the
mapping happens.  You can map the UID of a Cygwin user to any valid Windows
SID by editing the SID as you did.  This doesn't change how things look in
the Cygwin environment (i.e. the UID and user name are still the same) but
it does make a difference to Windows.  So the fact that you can change the
SID for the 'sshd' user and still get it to run is not all that surprising,
assuming that the new Windows SID that you're using as 'sshd' now has at
least similar permissions.  Of course, if you remove Cygwin's understanding
of 'sshd' so that it can't do the mapping of UID to SID or even have a
valid UID, then subsequent problems are not unexpected.


-- 
Larry

_____________________________________________________________________

A: Yes.
 > Q: Are you sure?
 >> A: Because it reverses the logical flow of conversation.
 >>> Q: Why is top posting annoying in email?

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple