X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:in-reply-to:references:date
	:message-id:subject:from:to:content-type; q=dns; s=default; b=hN
	6BmDcHboTIvl2Aosm/gMTlroQVgwJotlWecZCZTBqrrcH8SqZ3XOEJ+V0oSljOhW
	M9as1l4dOz/28TGgOV00OpJLH+FYXIMJ9LpavmfbrRDd7FryxqfzW9YapAryJjEf
	gKNdWxjjK1s8ov+GvLOIr3lB3dhMssmI4aKYP/kL0=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:in-reply-to:references:date
	:message-id:subject:from:to:content-type; s=default; bh=wVwFPGUh
	7TUbl4qmWOQzNyqoAoc=; b=ssA0qfyRyjJ90upFRUVsey3OXlePgPhvPDLCth+/
	sZCh7if5wx8ICEezVdLYRF3KRGHX7nOM4X9JUI4s19qu/Ll1w3fM7Mhnr18SbTaa
	8VFtpxaVTvZIZ0dRs9MJDOZOY1mYgS5ly/SODAKEiPbGFVTm4ZKIY+6vmcbI3bV3
	DsQ=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-1.2 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=ham version=3.3.2 spammy=Hx-languages-length:1517, H*f:sk:024901d, H*i:sk:024901d, accounts
X-HELO: mail-lb0-f170.google.com
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;        d=1e100.net; s=20130820;        h=x-gm-message-state:mime-version:sender:in-reply-to:references:date         :message-id:subject:from:to:content-type;        bh=aKNDqBuS83QBYYb6p+SwBCw0vX5y6acy0H1tSqWcr+s=;        b=CJeft9U1u6oEgFPxXjFNudrJJGK+tBmWmZG4zKMpJRfnxhtHc8O0M6ER+CHBvY3QVP         F13+uICeUteHKCXvYu1CTpD01ZL20gTrnEkgOOxAR+O4mH3E8emnYW019JeT6hhKQyBV         gKedLPPVU/53iyUGFqeWZ53P3Nx/hdahaU68TXqycFxulm+w2UGj527eSUWKw20X0aQR         ZRz5c7+qqvBqTVcUVThPwYzZO1ND0SD7nNdggTFlfn9a3gTNjFhKWqekjToZR3aN1Mwd         fAtIgNeffyNpa7mzOvKiaMhRSTsfHPb4+/7W3LdokrRc6EV1L0YylCBnZnxohHMFP27/         Slpg==
X-Gm-Message-State: AG10YOTyBmzqSTJand0R03NWK969YaR2wIoMMDelUM+tJBTdZc3v4hjTGzAwSdpyVZ4rOoavRCuGVo/efhMoyA==
MIME-Version: 1.0
X-Received: by 10.112.135.39 with SMTP id pp7mr3095669lbb.43.1455410062286; Sat, 13 Feb 2016 16:34:22 -0800 (PST)
In-Reply-To: <024901d166a3$a6930390$f3b90ab0$@comcast.net>
References: <019c01d163bc$fe2fc500$fa8f4f00$@comcast.net>	<CANnLRdhVrFcveO_jKb3_x=44WMJNO33DPnsJZ12Wus3U7Wo_fQ AT mail DOT gmail DOT com>	<019e01d163c2$d678c7e0$836a57a0$@comcast.net>	<023901d165e4$925507d0$b6ff1770$@comcast.net>	<87d1s1c8ld DOT fsf AT Rainer DOT invalid>	<024901d166a3$a6930390$f3b90ab0$@comcast.net>
Date: Sat, 13 Feb 2016 19:34:22 -0500
Message-ID: <CACoZoo14+ko0TZS1NtAh8R6DknAF_aoWAb1r+Nx3H+AWr_1o+w@mail.gmail.com>
Subject: Re: Possible Security Hole in SSHD w/ CYGWIN?
From: Erik Soderquist <ErikSoderquist AT gmail DOT com>
To: cygwin AT cygwin DOT com
Content-Type: text/plain; charset=UTF-8
X-IsSubscribed: yes

On Sat, Feb 13, 2016 at 4:15 PM, David Willis  wrote:
<snip>
> So you're telling me any user that logs in using key authentication cannot
> access the network as the same user (i.e. this is the intended behavior)? If
> that's the case wouldn't it be better not to allow network access at ALL,
> rather than allowing it as the service account that sshd is running as?

Responding to only this one piece at present

from https://cygwin.com/cygwin-ug-net/passwd.html

{{
-R, --reg-store-pwd      enter password to store it in the registry for
                           later usage by services to be able to switch
                           to this user context with network credentials.
}}
{{
Don't use this feature if you don't need network access within a remote
session.  You can delete your stored password by using `passwd -R' and
specifying an empty password.
}}

Since there are explicit instructions on how to store your Windows
password in a way that Cygwin sshd (and other Cygwin services) can use
the password for network authentication and that it says not to store
the credentials if you do not need network access when authenticating
via public key, I would make the logical assumptions that

#1: authenticated network access is supposed to be possible inside a
public key authenticated ssh session

#2: without storing the password as described, I should have no
network access at all, not the cyg_server account's network access
(regardless of how much or little access the cyg_server account has).

<snip>

-- Erik

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple