Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Date: Mon, 11 Oct 2004 12:49:09 -0400 (EDT)
From: Igor Pechtchanski <pechtcha AT cs DOT nyu DOT edu>
Reply-To: cygwin AT cygwin DOT com
To: cygwin AT cygwin DOT com
Subject: Re: SSHD installation defaults / security
In-Reply-To: <20041011114328.GN6702@cygbert.vinschen.de>
Message-ID: <Pine.GSO.4.61.0410111245450.29807@slinky.cs.nyu.edu>
References: <001801c4af85$87bb3280$3300a8c0 AT heroldy> <20041011114328 DOT GN6702 AT cygbert DOT vinschen DOT de>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Scanned-By: MIMEDefang 2.39

On Mon, 11 Oct 2004, Corinna Vinschen wrote:

> On Oct 11 13:29, Jochen Wezel wrote:
> > Hi!
> >
> > I've installed today the current release of cygwin (1.5.11-1) with
> > OpenSSH package.
> >
> > There are 2 issues:
> >
> > 1. This package (or at least the ssh-host-config script) depends on
> > cygserver
>
> Neither the package nor ssh-host-config depend on cygserver.  Dunno how
> you get the idea.  Do you mean cygrunsrv?  Yes, the ssh-host-config
> script depends on it *iff* you answer the question to install sshd as a
> service.
>
> I'm not sure if the package should require cygrunsrv, though.  The
> /usr/share/doc/Cygwin/openssh.README file mentions that cygrunsrv is
> required to install sshd as service on NT systems.

Well, in the spirit of CGF's comment about tetex-x11 requiring X because
of xdvi (see <http://cygwin.com/ml/cygwin-apps/2004-10/msg00163.html>),
perhaps openssh *should* require cygrunsrv.

> > 2. After installation, the /etc/sshd_config file allows SSH protocol 1
> > by default. Since this protocol 1 has a coneceptual security hole, it
> > should not be available after standard setup. If somebody requires it,
> > he had to manually configure the sshd_config. That's why I suggest to
> > change that file to:
> >
> > Port 22
> > Protocol 2 #,1			# <-- activate protocol version 1 here, if
> > you really require it
> > #ListenAddress 0.0.0.0
> > #ListenAddress ::
> >
> > Please can the developers do these changes?
>
> The above installation of /etc/sshd_config is, except for a small Cygwin
> specific tweak, the same sshd_config file as you get it when building
> and installing OpenSSH from scratch.  There's no reason to change that
> unless the core developers of OpenSSH decide to install it differently.

IOW, Jochen, take it up with the upstream openssh team...
	Igor
-- 
				http://cs.nyu.edu/~pechtcha/
      |\      _,,,---,,_		pechtcha AT cs DOT nyu DOT edu
ZZZzz /,`.-'`'    -.  ;-;;,_		igor AT watson DOT ibm DOT com
     |,4-  ) )-,_. ,\ (  `'-'		Igor Pechtchanski, Ph.D.
    '---''(_/--'  `-'\_) fL	a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!

"Happiness lies in being privileged to work hard for long hours in doing
whatever you think is worth doing."  -- Dr. Jubal Harshaw

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/