Mailing-List: contact cygwin-help AT sourceware DOT cygnus DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT sources DOT redhat DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT sources DOT redhat DOT com>
List-Help: <mailto:cygwin-help AT sources DOT redhat DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT sources DOT redhat DOT com
Delivered-To: mailing list cygwin AT sources DOT redhat DOT com
X-Lotus-FromDomain: DFSGL
From: joshua DOT newton AT dfs DOT com
To: cygwin AT cygwin DOT com
Message-ID: <88256AA2.00500311.00@us-sfo-hub01.dfs>
Date: Wed, 8 Aug 2001 07:31:30 -0700
Subject: Silly question about OpenSSH and Cygwin
Mime-Version: 1.0
Content-type: text/plain; charset=us-ascii
Content-Disposition: inline



I'm going to cross my fingers and hope this question hasn't been asked before.

First, some fast background (skip if you find it unimportant):

<background>
In an effort to save my company some (lots) of money, I've been coding up a
system to deploy
software remotely to all of our NT4 workstations, using Free and/or open source
tools. Unfortunately,
I couldn't find a way to execute commands remotely on the workstations, so I had
to code up a mess
of MS batch and fun things like Task Scheduler and regini.exe. The current
system works, even if it
is an ugly mess. However, it's using a pull model whereby all the workstations
are ftping tarballs
from a central server and executing the contents, relying on Task Scheduler to
make it happen on
a regular basis. This means there's no central control and no easy way to turn
it off when the staff
are working late. I spent a while looking for free implementations of sshd or
*gack* rshd or even
something like telnet and came up blank.

Then, I saw the light of OpenSSH and Cygwin. I spent a while testing Cygwin and
protoyping the new
deployment system, only to discover the FAQ entry as regards Cygwin security in
a multiuser
environment ( http://www.cygwin.com/faq/faq_4.html#SEC71 ).
</background>

Is Cygwin still inherently insecure on a multiuser system, or is this a FAQ
entry that hasn't been
revised in a while? If it's still correct, is there any way to lock it down, or
protect Cygwin from non-
admin users? The new system I was prototyping relies on sshd running on all the
workstations.
I see lots of other folks using OpenSSH on Cygwin for a variety of things, so
I'm going to guess
that I missed something.

But -- we're working in a reasonably security-conscious environment, and the
last thing I want to do
is explain myself to an audit team when they find out I deployed new code that's
hackable by
anyone logged into the workstations locally.

If I can't distribute the new system soon, I'm going to have to pull the current
one out and deploy
software manually on over 100 client machines until I can cost-justify either a
commercial SSH
implementation or S&M Server...

Thanks in advance, all.



--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/