Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
X-Originating-IP: [63.208.109.50]
From: "Karl M" <karlm30 AT hotmail DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: [ANNOUNCEMENT] Updated: OpenSSH-3.5p1-1
Date: Thu, 07 Nov 2002 09:23:30 -0800
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-ID: <F134oznxWrwjvzWvTlt000010f3@hotmail.com>
X-OriginalArrivalTime: 07 Nov 2002 17:23:30.0444 (UTC) FILETIME=[642E94C0:01C28682]

The behavior I see now is that if I do

chown administrators.none /etc/ssh_host_rsa_key*
chmod 777 /etc/ssh_host_rsa_key*

Then with StrictModes enabled, sshd will start and run just fine (running as 
system). But if I then do

chown system.none /etc/ssh_host_rsa_key*

Then sshd fails to start. But I (think I) recall that in the past the 
protection had to be tight and the owner had to be system for sshd to start? 
Am I remembering correctly?

Thanks,

...Karl



>From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
>Reply-To: cygwin AT cygwin DOT com
>To: cygwin AT cygwin DOT com
>Subject: Re: [ANNOUNCEMENT] Updated: OpenSSH-3.5p1-1
>Date: Thu, 7 Nov 2002 17:11:57 +0100
>
>On Thu, Nov 07, 2002 at 06:59:08AM -0800, Karl M wrote:
> > Hi All...
> >
> > I just updated to 3.5p1-1. I had to set PermitUserEnvironment in my
> > sshd_config file. Should this be included by default in the 
>ssh-host-config
> > script?
>
>You're right that PermitUserEnvironment should be added to ssh-host-config.
>But it's set to no by default, so you have to change it anyway.
>
> > I was a bit puzzled by the file owner and permission checking for the 
>host
> > keys now (with StrictModes enabled)...If the owner is wrong, the mode
> > checking is ignored. I recall this test being stronger in the 
>past...didn't
> > the owner have to be correct (SYSTEM)? If so, why the change to a kinder
> > gentler (less effective) safety check?
>
>auth.c, line 378ff:
>
>   if (options.strict_modes &&
>       (stat(user_hostfile, &st) == 0) &&
>       ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
>       (st.st_mode & 022) != 0)) {
>	  log("Authentication refused for %.100s: "
>	      "bad owner or modes for %.200s",
>	      pw->pw_name, user_hostfile);
>
>The above code checks the mode additionally to the user id so what's
>gentler here?  Or do you mean another piece of code?
>
> > Given the host local security issues with using Cygwim, is there much
> > advantage to priv sep? Could someone please give a brief overview of 
>what it
> > is and how and why it helps?
>
>README.privsep?
>
>Corinna
>
>--
>Corinna Vinschen                  Please, send mails regarding Cygwin to
>Cygwin Developer                                mailto:cygwin AT cygwin DOT com
>Red Hat, Inc.
>
>--
>Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>Bug reporting:         http://cygwin.com/bugs.html
>Documentation:         http://cygwin.com/docs.html
>FAQ:                   http://cygwin.com/faq/


_________________________________________________________________
Protect your PC - get McAfee.com VirusScan Online 
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/