Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
X-MimeOLE: Produced By Microsoft Exchange V6.0.4417.0
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Subject: RE: openSSH 'privilege separation feature
Date: Mon, 24 Jun 2002 10:51:57 -0400
Message-ID: <BADF3C947A1BD54FBA75C70C241B0B9E40F0B1@ex02.idirect.net>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
From: "Harig, Mark A." <maharig AT idirect DOT net>
To: "Tony Arnold" <tony DOT arnold AT man DOT ac DOT uk>, <cygwin AT cygwin DOT com>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by delorie.com id g5OErho29915

Corinna Vinschen made it pretty clear at the start of the
announcement of the availability of  OpenSSH 3.3p1-1 that
the Cygwin version would NOT support privilege separation:

> This release introduces privilege separation (see official release
> message below) as default setting.  Since privilege separation
requires
> the OS to be able to transmit file descriptors via
sendmsg(2)/recvmsg(2),
> this doesn't work in current Cygwin releases.  However, in Cygwin the
> /etc/sshd_config file must contain the following line to let sshd
work:
>
>  UsePrivilegeSeparation no

> -----Original Message-----
> From: Tony Arnold [mailto:tony DOT arnold AT man DOT ac DOT uk]
> Sent: Monday, June 24, 2002 10:32 AM
> To: cygwin AT cygwin DOT com
> Subject: openSSH 'privilege separation feature
> 
> 
> Dear Cygwinners!
> 
> I've just upgraded to the latest OpenSSH cygwin package, viz., 3.3p1-1
> and it seems the new 'privilege separation' feature is 
> causing problems.
> 
> The first problem was that after upgrading, the sshd service would not
> start. /var/log/sshd.log indicated the username sshd did not exist so
> 'privilelge separation' did not work.
> 
> I then followed some instructiosn on the Openssh WEB pages 
> which said I
> had to create a user called sshd and also a group sshd and 
> also create a
> directory /var/empty which I chown'd to SYSTEM.SYSTEM. The 
> sshd service
> would then start without error.
> 
> However, when trying to ssh to my PC, debug output from sshd shows the
> following:
> 
> ----------- sshd output starts here -------------------
> C:\cygwin\usr\sbin>sshd -d > sshd.log
> debug1: sshd version OpenSSH_3.3
> debug1: private host key: #0 type 0 RSA1
> debug1: read PEM private key done: type RSA
> debug1: private host key: #1 type 1 RSA
> debug1: read PEM private key done: type DSA
> debug1: private host key: #2 type 2 DSA
> debug1: Bind to port 22 on 0.0.0.0.
> Server listening on 0.0.0.0 port 22.
> Generating 768 bit RSA key.
> RSA key generation complete.
> debug1: Server will not fork when running in debugging mode.
> Connection from 130.88.201.150 port 2608
> debug1: Client protocol version 2.0; client software version 
> OpenSSH_3.3
> debug1: match: OpenSSH_3.3 pat OpenSSH*
> Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-1.99-OpenSSH_3.3
> debug1: list_hostkey_types: ssh-rsa,ssh-dss
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: client->server aes128-cbc hmac-md5 none
> debug1: kex: server->client aes128-cbc hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
> debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
> debug1: dh_gen_key: priv key bits set: 122/256
> debug1: bits set: 1615/3191
> debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
> debug1: bits set: 1616/3191
> debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
> debug1: kex_derive_keys
> debug1: newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: waiting for SSH2_MSG_NEWKEYS
> debug1: newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: KEX done
> debug1: userauth-request for user zzalsaca service 
> ssh-connection method
> none
> debug1: attempt 0 failures 0
> Failed none for zzalsaca from 130.88.201.150 port 2608 ssh2
> Failed none for zzalsaca from 130.88.201.150 port 2608 ssh2
> debug1: userauth-request for user zzalsaca service 
> ssh-connection method
> publick
> ey
> debug1: attempt 1 failures 1
> debug1: test whether pkalg/pkblob are acceptable
> debug1: temporarily_use_uid: 1000/513 (e=18)
> debug1: trying public key file /home/zzalsaca/.ssh/authorized_keys
> debug1: matching key found: file /home/zzalsaca/.ssh/authorized_keys,
> line 1
> Found matching DSA key: 
> 84:41:80:86:3c:50:aa:c6:92:c0:c0:1a:3e:ab:46:ab
> debug1: restore_uid
> Postponed publickey for zzalsaca from 130.88.201.150 port 2608 ssh2
> debug1: userauth-request for user zzalsaca service 
> ssh-connection method
> publick
> ey
> debug1: attempt 2 failures 1
> debug1: temporarily_use_uid: 1000/513 (e=18)
> debug1: trying public key file /home/zzalsaca/.ssh/authorized_keys
> debug1: matching key found: file /home/zzalsaca/.ssh/authorized_keys,
> line 1
> Found matching DSA key: 
> 84:41:80:86:3c:50:aa:c6:92:c0:c0:1a:3e:ab:46:ab
> debug1: restore_uid
> debug1: ssh_dss_verify: signature correct
> Accepted hostbased for zzalsaca from 130.88.201.150 port 2608 ssh2
> debug1: monitor_child_preauth: zzalsaca has been authenticated by
> privileged pro
> cess
> Accepted publickey for zzalsaca from 130.88.201.150 port 2608 ssh2
> debug1: newkeys: mode 0
> debug1: newkeys: mode 1
> debug1: Entering interactive session for SSH2.
> debug1: fd 7 setting O_NONBLOCK
> debug1: fd 8 setting O_NONBLOCK
> debug1: server_init_dispatch_20
> debug1: server_input_channel_open: ctype session rchan 0 win 65536 max
> 16384
> debug1: input_session_request
> debug1: channel 0: new [server-session]
> debug1: session_new: init
> debug1: session_new: session 0
> debug1: session_open: channel 0
> debug1: session_open: session 0: link with channel 0
> debug1: server_input_channel_open: confirm session
> debug1: server_input_channel_req: channel 0 request pty-req reply 0
> debug1: session_by_channel: session 0 channel 0
> debug1: session_input_channel_req: session 0 req pty-req
> debug1: Allocating pty.
> debug1: session_new: init
> debug1: session_new: session 0
> mm_send_fd: sendmsg(3): Bad address
> debug1: Calling cleanup 0x415acc(0x446474)
> debug1: session_pty_cleanup: session 0 release /dev/tty2
> syslogin_perform_logout: logout() returned an error
> debug1: Calling cleanup 0x41c724(0x0)
> mm_receive_fd: recvmsg: expected received 1 got 0
> debug1: Calling cleanup 0x427064(0x0)
> debug1: channel_free: channel 0: server-session, nchannels 1
> debug1: Calling cleanup 0x41c724(0x0)
> 
> C:\cygwin\usr\sbin>
> -------------- sshd output ends here ------------------
> 
> It looks to me like the line starting mm_send_fd is where the problem
> lies, but I don't know what it means.
> 
> Can anyone help?
> 
> Regards,
> Tony.
> -- 
> Tony Arnold, Deputy to the Head of COS Division, Manchester Computing,
> University of Manchester, Oxford Road, Manchester M13 9PL.
> T: +44 (0)161 275 6093, F: +44 (0)870 136 1004, M: +44 (0)773 330 0039
> E-mail: tony DOT arnold AT man DOT ac DOT uk, Home: http://www.man.ac.uk/Tony.Arnold
> 
> 
> --
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
> Bug reporting:         http://cygwin.com/bugs.html
> Documentation:         http://cygwin.com/docs.html
> FAQ:                   http://cygwin.com/faq/
> 
> 

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/