This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: sshd privsep user still required?
- From: Bill Stewart <bstewart at iname dot com>
- To: cygwin at cygwin dot com
- Date: Tue, 12 Mar 2019 16:21:23 -0600
- Subject: Re: sshd privsep user still required?
- References: <CANV9t=S6LFnDSKiJsL3GpjLNC+srJCAgkScZTiG0yAbxq3b40A@mail.gmail.com>
On Thu, 17 Jan 2019 Corinna Vinschen wrote:
> > Is the sshd disabled user account still required?
>
> No, actually it isn't. These days the sshd server checks if the
> the privsep chrrot environment should be used and that the process
> is started under "root:root". This never matches under Cygwin so
> we could drop the sshd user requirement.
So I was exploring using the ChrootDirectory setting in sshd_config to
configure a user as sftp only.
The following seems to work:
1) Run sshd service as SYSTEM
2) Specify SYSTEM as user 0 in /etc/passwd file; e.g.:
SYSTEM:*:0:18:U-NT AUTHORITY\SYSTEM,S-1-5-18:/var/empty:/bin/false
3) Create a local sshd user account
4) Update sshd_config settings to use something such as:
Match User sftponly
ChrootDirectory /home/%u
ForceCommand internal-sftp
This works.
If the sshd account is missing or disabled, I can't connect using the
sftponly user, so it would seem that the sshd account really is required.
I have three questions:
a) Why is it necessary to specify SYSTEM as user number 0 in the
/etc/password file?
b) Why is the sshd account required?
b) Why are /cygdrive and /dev directories visible when connecting using a
sftp client?
Thanks!
Bill
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple