X-Spam-Check-By: sourceware.org
To: cygwin AT cygwin DOT com
From: Matthew Woehlke <mwoehlke AT tibco DOT com>
Subject:  Re: Updated: OpenSSH-4.4p1-1
Date:  Fri, 13 Oct 2006 10:54:25 -0500
Lines: 43
Message-ID: <egocrh$i73$1@sea.gmane.org>
References:  <20061004144640 DOT GD25401 AT calimero DOT vinschen DOT de> <DE31A43DBCABD64A9397DDFD45B8922005718EA4 AT 0015-its-exmb01 DOT us DOT saic DOT com> <20061012071004 DOT GQ13105 AT calimero DOT vinschen DOT de> <452FAECD DOT 3000202 AT cwilson DOT fastmail DOT fm>
Mime-Version:  1.0
Content-Type:  text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding:  7bit
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7) Gecko/20060909 Thunderbird/1.5.0.7 Mnenhy/0.7.4.0
In-Reply-To: <452FAECD.3000202@cwilson.fastmail.fm>
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

Charles Wilson wrote:
> Corinna Vinschen wrote:
>> On Oct 11 16:20, Wells, Roger K. wrote:
>>> When I installed this my previous installation broke and now the sshd
>>> server stops immediately when it is started.  Any hints will be
>>> appreciated.
>>> thanks
>>
>> Maybe that's it: http://cygwin.com/ml/cygwin/2006-10/msg00250.html
> 
> This is bad.  Suppose I am a cygwin user on a machine to which I do not 
> have Administrator privileges.  Until now, I could run a personal sshd 
> on a unique port, and connect back to my windows box.  Now I can't -- 
> because, as a non-Admin, I can't create the sshd user.  (and this use 
> case is not a hypothetical; I do this on the job often)

It sounds like this is a technique that would be usable on platforms 
other than Cygwin, as well.

> I consider this a regression -- and what's worse, IMO the patch that 
> imposed this new requirement is dead wrong.  Here's a fuller quote of 
> the offending section of the changelog:
> 
>>  - (djm) [sshd.c auth.c] Set up fakepw() with privsep uid/gid, so it can
>>    be used to drop privilege to; fixes Solaris GSSAPI crash reported by
>>    Magnus Abrante; suggestion and feedback dtucker@
>>    NB. this change will require that the privilege separation user must
>>    exist on all the time, not just when UsePrivilegeSeparation=yes
> 
> My translation: even when UsePrivilegeSeparation=no we are STILL going 
> to use privsep.  And this misfeature will be imposed across all 
> platforms, just to fix a crash on one platform when using one optional 
> authentication component.
> 
> Not nice, not nice at all.

So you're taking it up with the ssh developers (or 'dtucker'), right?

-- 
Matthew
"What's Cygwin?" you ask.
'Tis mostly absurd software
Concerning hippos.


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/