This is the mail archive of the mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]

Silly question about OpenSSH and Cygwin

I'm going to cross my fingers and hope this question hasn't been asked before.

First, some fast background (skip if you find it unimportant):

In an effort to save my company some (lots) of money, I've been coding up a
system to deploy
software remotely to all of our NT4 workstations, using Free and/or open source
tools. Unfortunately,
I couldn't find a way to execute commands remotely on the workstations, so I had
to code up a mess
of MS batch and fun things like Task Scheduler and regini.exe. The current
system works, even if it
is an ugly mess. However, it's using a pull model whereby all the workstations
are ftping tarballs
from a central server and executing the contents, relying on Task Scheduler to
make it happen on
a regular basis. This means there's no central control and no easy way to turn
it off when the staff
are working late. I spent a while looking for free implementations of sshd or
*gack* rshd or even
something like telnet and came up blank.

Then, I saw the light of OpenSSH and Cygwin. I spent a while testing Cygwin and
protoyping the new
deployment system, only to discover the FAQ entry as regards Cygwin security in
a multiuser
environment ( ).

Is Cygwin still inherently insecure on a multiuser system, or is this a FAQ
entry that hasn't been
revised in a while? If it's still correct, is there any way to lock it down, or
protect Cygwin from non-
admin users? The new system I was prototyping relies on sshd running on all the
I see lots of other folks using OpenSSH on Cygwin for a variety of things, so
I'm going to guess
that I missed something.

But -- we're working in a reasonably security-conscious environment, and the
last thing I want to do
is explain myself to an audit team when they find out I deployed new code that's
hackable by
anyone logged into the workstations locally.

If I can't distribute the new system soon, I'm going to have to pull the current
one out and deploy
software manually on over 100 client machines until I can cost-justify either a
commercial SSH
implementation or S&M Server...

Thanks in advance, all.

Unsubscribe info:
Bug reporting:

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]