[ANNOUNCEMENT] Updated: OpenSSH-7.5p1-1
Lionel Fourquaux
lionel.fourquaux@normalesup.org
Wed Mar 22 06:09:00 GMT 2017
> * This release deprecates the sshd_config UsePrivilegeSeparation
> option, thereby making privilege separation mandatory.
This has (probably not wholly intended) consequences when running sshd in
single user (non root) mode:
$ /usr/sbin/sshd -D -f ~/.ssh/sshd_config
Privilege separation user sshd does not exist
The problem is not limited to Cygwin, but is unlikely to happen in
a typical Unix, since ssh is probably installed globally.
If Cygwin was installed without administrative privileges, creating
a dedicated sshd user would be impossible (and makes little sense if sshd
runs in single user mode, anyway). I guess it would be possible to add
a fake user account in /etc/passwd.
Since user sshd and chroot /var/empty are not used in single user mode,
it might be better to remove the check in this case:
=== cut after ===
diff --git a/sshd.c b/sshd.c
index 010a2c3..4f9b2c8 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1641,7 +1641,8 @@ main(int ac, char **av)
/* Store privilege separation user for later use if required. */
if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
- if (use_privsep || options.kerberos_authentication)
+ if ((use_privsep || options.kerberos_authentication)
+ && (getuid() == 0 || geteuid() == 0))
fatal("Privilege separation user %s does not exist",
SSH_PRIVSEP_USER);
} else {
@@ -1767,7 +1768,7 @@ main(int ac, char **av)
key_type(key));
}
- if (use_privsep) {
+ if (use_privsep && (getuid() == 0 || geteuid() == 0)) {
struct stat st;
if ((stat(_PATH_PRIVSEP_CHROOT_DIR, &st) == -1) ||
=== cut before ===
Best regards,
-- Lionel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://cygwin.com/pipermail/cygwin/attachments/20170322/1b8af0fa/attachment.sig>
More information about the Cygwin
mailing list