X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:from:to:subject:references:date:in-reply-to :message-id:mime-version:content-type:content-transfer-encoding; q=dns; s=default; b=IjU+dwTV9t2TAm64UWhiRTyjPFIHSYGiGaBJKObhtXh 0bECiYa8wyOALb0iyskl6uBr23UXIAS4twk54l76r8ujfITG+W0a+R5MjG5UGI9S LOmn/GeJr0K8pQ+rS8VfGAfCxwiy5aL9TE1eMvcwsNQj64P7LQ1LXFkd+VZFjdv8 = DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:from:to:subject:references:date:in-reply-to :message-id:mime-version:content-type:content-transfer-encoding; s=default; bh=0FIvF4xm1l00S2vwD+6H1GNF4Lc=; b=lW5gKQtkq1Lb1TOxg BbElopBFD/P+ZZD9dWlbn+5f8fDpKAbykfaVxQUqS9RV9y8eQPE38jryGDP2Rvg9 7t26+ATSYgF+aI8Qx1YEwwOuHJ7wmzRHfTUm4yANo8MTwF5TznU6dNX2+cidp9yt +8tCEhA2lfb7we7IcZMIUsPPsA= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-2.1 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=ham version=3.3.2 spammy=boil, H*i:sk:CACoZoo, H*f:sk:Br5xYFv, H*f:Wh9a8CDvyUHpqj5 X-HELO: mail-in-16.arcor-online.net X-DKIM: Sendmail DKIM Filter v2.8.2 mail-in-11.arcor-online.net 3q350S4rWSz327d From: Achim Gratz To: cygwin AT cygwin DOT com Subject: Re: Possible Security Hole in SSHD w/ CYGWIN? References: <019c01d163bc$fe2fc500$fa8f4f00$@comcast.net> <019e01d163c2$d678c7e0$836a57a0$@comcast.net> <023901d165e4$925507d0$b6ff1770$@comcast.net> <87d1s1c8ld DOT fsf AT Rainer DOT invalid> Date: Sun, 14 Feb 2016 11:49:12 +0100 In-Reply-To: (Erik Soderquist's message of "Sat, 13 Feb 2016 19:14:06 -0500") Message-ID: <87a8n38t3r.fsf@Rainer.invalid> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.90 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by delorie.com id u1EAnw4O022762 Erik Soderquist writes: > I would suspect Domain Admin for the Cyg_server account is a > requirement of David's environment, which neither of us know anything > about at present. I know I've had to do things that were not "best > practice" due to corporate policy on more occasions than I care to > count. If that's the case, then security of the sshd is the least of your worries and I wouldn't install sshd at all. > Actually the Cygwin doc does include instructions for accessing > network shares when using ssh public key authentication. …which boil down to the password being stored (obscured) on the machine running sshd in order for sshd to obtain the necessary authentication via password-based login. > Once again, assumptions. While I can't explicitly vouch for David's > environment, as I do not have access to check, I can vouch for mine, > and mine was configured using sshd_host_config, with the only changes > after sshd_host_config being regarding TCP and X tunneling. I have to again make an assumption, namely that if cyg_server is a local account you've checked the C$ share of the same server that sshd is running on. That's bad enough, shouldn't happen and needs fixing, but at least you wouldn't be able to access any network shares from other servers that weren't otherwise accessible for everybody. Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ SD adaptations for KORG EX-800 and Poly-800MkII V0.9: http://Synth.Stromeko.net/Downloads.html#KorgSDada -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple