sshd_config AllowStreamLocalForwarding perm off / effectively privsep off

Shaddy Baddah
Mon Aug 7 12:11:18 GMT 2023


For the current OpenSSH server (9.3p2),  AllowStreamLocalForwarding
defaults on. That means both local and remote unix socket port
portforwarding are possible.

For Cygwin, it appears the remote form of this is not possible. The
following message is seen on the client-side, regardless of whether
sshd_config explicitly defines AllowStreamLocalForwarding "on", or

|Forwarding port.
|debug1: Remote: Server has disabled streamlocal forwarding.

Finding the code around this, and a three(?) component conditional
expression that "fails" into that message, I discovered that the
reason it is not allowed is the following conditional:

|		    (pw->pw_uid != 0 && !use_privsep)) {

and to my surprise, after compiling a debug version of sshd to discover
this conditional, it turns out that use_privsep is set to zero (0).

I've been around the Cygwin community for many years, and I remember
the time when ssh-host-config prompted for priv sep, and the creation
of the "sshd" local user.

I remember the transition when that prompt was removed, and reading that
priv sep was now "on permanently".

I think there is a misunderstanding here though, though I'm not 100%
sure of my reading of the situation. It appears that though priv sep is
on by default, for Cygwin, it is effectively off, as it cannot be

Because this bit of code from sshd.c suggests if DISABLE_FD_PASS is set,
then use_privsep needs to be set to false:

|	if (1) {
|	if (authctxt->pw->pw_uid == 0) {
|		/* File descriptor passing is broken or root login */
|		use_privsep = 0;
|		goto skip;

DISABLE_FD_PASS is always set by autoconf for Cygwin. And my reading is
that not having that capability effectively means whatever the other
criteria, the executing process doesn't have sufficient "separation" of
privilege to be treated in the same manner.

Otherwise, what's the solution? Because the reason for the earlier guard
(the disallowal of streamlocal) was a fix for a CVE from very long ago,
that allowed unix-sockets to be created on the server as
"root"/privileged user.


More information about the Cygwin mailing list