Re: sshd privsep user still required?

[Bill Stewart <bstewart at iname dot com>]

On Thu, 17 Jan 2019 Corinna Vinschen wrote:

> > Is the sshd disabled user account still required?
>
> No, actually it isn't.  These days the sshd server checks if the
> the privsep chrrot environment should be used and that the process
> is started under "root:root".  This never matches under Cygwin so
> we could drop the sshd user requirement.

So I was exploring using the ChrootDirectory setting in sshd_config to
configure a user as sftp only.

The following seems to work:

1) Run sshd service as SYSTEM

2) Specify SYSTEM as user 0 in /etc/passwd file; e.g.:

SYSTEM:*:0:18:U-NT AUTHORITY\SYSTEM,S-1-5-18:/var/empty:/bin/false

3) Create a local sshd user account

4) Update sshd_config settings to use something such as:

Match User sftponly
ChrootDirectory /home/%u
ForceCommand internal-sftp

This works.

If the sshd account is missing or disabled, I can't connect using the
sftponly user, so it would seem that the sshd account really is required.

I have three questions:

a) Why is it necessary to specify SYSTEM as user number 0 in the
/etc/password file?

b) Why is the sshd account required?

b) Why are /cygdrive and /dev directories visible when connecting using a
sftp client?

Thanks!

Bill

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple