Possible Security Hole in SSHD w/ CYGWIN?

Erik Soderquist ErikSoderquist@gmail.com
Sun Feb 14 00:34:00 GMT 2016


On Sat, Feb 13, 2016 at 4:15 PM, David Willis  wrote:
<snip>
> So you're telling me any user that logs in using key authentication cannot
> access the network as the same user (i.e. this is the intended behavior)? If
> that's the case wouldn't it be better not to allow network access at ALL,
> rather than allowing it as the service account that sshd is running as?

Responding to only this one piece at present

from https://cygwin.com/cygwin-ug-net/passwd.html

{{
-R, --reg-store-pwd      enter password to store it in the registry for
                           later usage by services to be able to switch
                           to this user context with network credentials.
}}
{{
Don't use this feature if you don't need network access within a remote
session.  You can delete your stored password by using `passwd -R' and
specifying an empty password.
}}

Since there are explicit instructions on how to store your Windows
password in a way that Cygwin sshd (and other Cygwin services) can use
the password for network authentication and that it says not to store
the credentials if you do not need network access when authenticating
via public key, I would make the logical assumptions that

#1: authenticated network access is supposed to be possible inside a
public key authenticated ssh session

#2: without storing the password as described, I should have no
network access at all, not the cyg_server account's network access
(regardless of how much or little access the cyg_server account has).

<snip>

-- Erik

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple



More information about the Cygwin mailing list