sshd privsep user still required?

Corinna Vinschen
Wed Mar 13 08:56:00 GMT 2019

On Mar 12 16:21, Bill Stewart wrote:
> On Thu, 17 Jan 2019 Corinna Vinschen wrote:
> > > Is the sshd disabled user account still required?
> >
> > No, actually it isn't.  These days the sshd server checks if the
> > the privsep chrrot environment should be used and that the process
> > is started under "root:root".  This never matches under Cygwin so
> > we could drop the sshd user requirement.
> So I was exploring using the ChrootDirectory setting in sshd_config to
> configure a user as sftp only.
> The following seems to work:
> 1) Run sshd service as SYSTEM
> 2) Specify SYSTEM as user 0 in /etc/passwd file; e.g.:
> SYSTEM:*:0:18:U-NT AUTHORITY\SYSTEM,S-1-5-18:/var/empty:/bin/false
> 3) Create a local sshd user account
> 4) Update sshd_config settings to use something such as:
> Match User sftponly
> ChrootDirectory /home/%u
> ForceCommand internal-sftp
> This works.
> If the sshd account is missing or disabled, I can't connect using the
> sftponly user, so it would seem that the sshd account really is required.
> I have three questions:
> a) Why is it necessary to specify SYSTEM as user number 0 in the
> /etc/password file?
> b) Why is the sshd account required?

sshd checks for uid 0 and requires the sshd account when chroot is

> b) Why are /cygdrive and /dev directories visible when connecting using a
> sftp client?

The Cygwin chroot implementation is pure fake.  It's not backed by the
OS and it's failry easy to break out of the jail.  As such, the chroot
implementation is deprecated and only kept for backward compatibility.
I suggest not to use it.  It gives a wrong sense of security.


Corinna Vinschen
Cygwin Maintainer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <>

More information about the Cygwin mailing list