Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Date: Thu, 7 Nov 2002 17:11:57 +0100
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: [ANNOUNCEMENT] Updated: OpenSSH-3.5p1-1
Message-ID: <20021107171157.C24497@cygbert.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <F131VqC0YkyXsLCAOWN00000b69 AT hotmail DOT com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <F131VqC0YkyXsLCAOWN00000b69@hotmail.com>
User-Agent: Mutt/1.3.22.1i

On Thu, Nov 07, 2002 at 06:59:08AM -0800, Karl M wrote:
> Hi All...
> 
> I just updated to 3.5p1-1. I had to set PermitUserEnvironment in my 
> sshd_config file. Should this be included by default in the ssh-host-config 
> script?

You're right that PermitUserEnvironment should be added to ssh-host-config.
But it's set to no by default, so you have to change it anyway.

> I was a bit puzzled by the file owner and permission checking for the host 
> keys now (with StrictModes enabled)...If the owner is wrong, the mode 
> checking is ignored. I recall this test being stronger in the past...didn't 
> the owner have to be correct (SYSTEM)? If so, why the change to a kinder 
> gentler (less effective) safety check?

auth.c, line 378ff:

  if (options.strict_modes &&
      (stat(user_hostfile, &st) == 0) &&
      ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
      (st.st_mode & 022) != 0)) {
	  log("Authentication refused for %.100s: "
	      "bad owner or modes for %.200s",
	      pw->pw_name, user_hostfile);

The above code checks the mode additionally to the user id so what's
gentler here?  Or do you mean another piece of code?

> Given the host local security issues with using Cygwim, is there much 
> advantage to priv sep? Could someone please give a brief overview of what it 
> is and how and why it helps?

README.privsep?

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin AT cygwin DOT com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/