X-Recipient: archive-cygwin AT delorie DOT com DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 89CBB3854BEC DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com; s=default; t=1691410303; bh=iJGBTEWh2VMHidHTQifnL3JZ0Cr+3BInAQM+DpW7Kiw=; h=Date:To:Subject:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:From; b=LL6KwYc8KZ9Ah9rEqtnzfzzs496pnr5ykUat0rHqktB2piaObtXMUWAn9YdPWzowi aPAPYm5EvAMLj7QU4AHA0OQ/xzMX82uirrSqB+RyGcLIr0V2YJm5xHyjouRw3Ip08o 1f/gBdWnyGhZAyL1cOZ4foBdJ6QuEUYOE1P5anss= X-Original-To: cygwin AT cygwin DOT com Delivered-To: cygwin AT cygwin DOT com DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 9FB223858418 X-Virus-Scanned: Debian amavisd-new at smtp02.aussiebb.com.au X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-Spam-Level: X-Spam-Status: No, score=-2.3 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS, SPF_HELO_NONE, SPF_SOFTFAIL, TXREP autolearn=no autolearn_force=no version=3.4.6 Message-ID: <883e0ae2-1ac7-1474-ba06-10d9de441390@aussiebb.com.au> Date: Mon, 7 Aug 2023 22:11:18 +1000 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.13.0 To: cygwin AT cygwin DOT com Subject: sshd_config AllowStreamLocalForwarding perm off / effectively privsep off X-BeenThere: cygwin AT cygwin DOT com X-Mailman-Version: 2.1.29 List-Id: General Cygwin discussions and problem reports List-Archive: List-Post: List-Help: List-Subscribe: , From: Shaddy Baddah via Cygwin Reply-To: Shaddy Baddah Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: "Cygwin" Hi, For the current OpenSSH server (9.3p2), AllowStreamLocalForwarding defaults on. That means both local and remote unix socket port portforwarding are possible. For Cygwin, it appears the remote form of this is not possible. The following message is seen on the client-side, regardless of whether sshd_config explicitly defines AllowStreamLocalForwarding "on", or "all": |Forwarding port. |debug1: Remote: Server has disabled streamlocal forwarding. Finding the code around this, and a three(?) component conditional expression that "fails" into that message, I discovered that the reason it is not allowed is the following conditional: | (pw->pw_uid != 0 && !use_privsep)) { and to my surprise, after compiling a debug version of sshd to discover this conditional, it turns out that use_privsep is set to zero (0). I've been around the Cygwin community for many years, and I remember the time when ssh-host-config prompted for priv sep, and the creation of the "sshd" local user. I remember the transition when that prompt was removed, and reading that priv sep was now "on permanently". I think there is a misunderstanding here though, though I'm not 100% sure of my reading of the situation. It appears that though priv sep is on by default, for Cygwin, it is effectively off, as it cannot be implemented??? Because this bit of code from sshd.c suggests if DISABLE_FD_PASS is set, then use_privsep needs to be set to false: |#ifdef DISABLE_FD_PASSING | if (1) { |#else | if (authctxt->pw->pw_uid == 0) { |#endif | /* File descriptor passing is broken or root login */ | use_privsep = 0; | goto skip; DISABLE_FD_PASS is always set by autoconf for Cygwin. And my reading is that not having that capability effectively means whatever the other criteria, the executing process doesn't have sufficient "separation" of privilege to be treated in the same manner. Otherwise, what's the solution? Because the reason for the earlier guard (the disallowal of streamlocal) was a fix for a CVE from very long ago, that allowed unix-sockets to be created on the server as "root"/privileged user. -- Regards, Shaddy -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple