X-Recipient: archive-cygwin AT delorie DOT com DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org EF859385840C DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com; s=default; t=1691430075; bh=enHYOJba4G0oPBoGD4PG4lzOMLNVmS6EkTk8Bebqtj8=; h=Date:To:Subject:References:In-Reply-To:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: From; b=pO0tfqHj88T5LKMO+ZYrBLJQ5/5219rTJ0Da8disBe6oxSuAoDfEiqSY1qAke4Ii3 kEn8/0KuRFbNaorBH6RVNN9cx12PAmgj5hL8PGW0esg70tNdPsCY2Jw12ia2/3vS21 NUZNaEO8F+5daZxB8w6h6akL4xj21U4j0gfoUVS8= X-Original-To: cygwin AT cygwin DOT com Delivered-To: cygwin AT cygwin DOT com DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org BDE853858D28 Date: Mon, 7 Aug 2023 19:40:38 +0200 To: cygwin AT cygwin DOT com Subject: Re: sshd_config AllowStreamLocalForwarding perm off / effectively privsep off Message-ID: Mail-Followup-To: cygwin AT cygwin DOT com References: <883e0ae2-1ac7-1474-ba06-10d9de441390 AT aussiebb DOT com DOT au> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <883e0ae2-1ac7-1474-ba06-10d9de441390@aussiebb.com.au> X-BeenThere: cygwin AT cygwin DOT com X-Mailman-Version: 2.1.29 Precedence: list List-Id: General Cygwin discussions and problem reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Corinna Vinschen via Cygwin Reply-To: cygwin AT cygwin DOT com Cc: Corinna Vinschen Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com Sender: "Cygwin" On Aug 7 22:11, Shaddy Baddah via Cygwin wrote: > Hi, > > For the current OpenSSH server (9.3p2), AllowStreamLocalForwarding > defaults on. That means both local and remote unix socket port > portforwarding are possible. > > For Cygwin, it appears the remote form of this is not possible. The > following message is seen on the client-side, regardless of whether > sshd_config explicitly defines AllowStreamLocalForwarding "on", or > "all": > > |Forwarding port. > |debug1: Remote: Server has disabled streamlocal forwarding. > > Finding the code around this, and a three(?) component conditional > expression that "fails" into that message, I discovered that the > reason it is not allowed is the following conditional: > > | (pw->pw_uid != 0 && !use_privsep)) { > > and to my surprise, after compiling a debug version of sshd to discover > this conditional, it turns out that use_privsep is set to zero (0). > > I've been around the Cygwin community for many years, and I remember > the time when ssh-host-config prompted for priv sep, and the creation > of the "sshd" local user. > > I remember the transition when that prompt was removed, and reading that > priv sep was now "on permanently". > > I think there is a misunderstanding here though, though I'm not 100% > sure of my reading of the situation. It appears that though priv sep is > on by default, for Cygwin, it is effectively off, as it cannot be > implemented??? Privilege separation in OpenSSH consists of two independent parts, both of which require AF_UNIX sockets. The first part is transmission of peer credentials per the SO_PEERCRED socket option. This was relatively easy to implement. The other part of privilege separation requires AF_UNIX sockets to allow sending and receiving open file descriptors via the SCM_RIGHTS ancillary data feature. This does not work in Cygwin. > DISABLE_FD_PASS is always set by autoconf for Cygwin. And my reading is > that not having that capability effectively means whatever the other > criteria, the executing process doesn't have sufficient "separation" of > privilege to be treated in the same manner. Yes, the parts of OpenSSH requiring descriptor passing are disabled in OpenSSH. > Otherwise, what's the solution? Solution for what? What is it you want to do? Corinna -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple