sshd_config AllowStreamLocalForwarding perm off / effectively privsep off

Corinna Vinschen
Mon Aug 7 17:40:38 GMT 2023

On Aug  7 22:11, Shaddy Baddah via Cygwin wrote:
> Hi,
> For the current OpenSSH server (9.3p2),  AllowStreamLocalForwarding
> defaults on. That means both local and remote unix socket port
> portforwarding are possible.
> For Cygwin, it appears the remote form of this is not possible. The
> following message is seen on the client-side, regardless of whether
> sshd_config explicitly defines AllowStreamLocalForwarding "on", or
> "all":
> |Forwarding port.
> |debug1: Remote: Server has disabled streamlocal forwarding.
> Finding the code around this, and a three(?) component conditional
> expression that "fails" into that message, I discovered that the
> reason it is not allowed is the following conditional:
> |		    (pw->pw_uid != 0 && !use_privsep)) {
> and to my surprise, after compiling a debug version of sshd to discover
> this conditional, it turns out that use_privsep is set to zero (0).
> I've been around the Cygwin community for many years, and I remember
> the time when ssh-host-config prompted for priv sep, and the creation
> of the "sshd" local user.
> I remember the transition when that prompt was removed, and reading that
> priv sep was now "on permanently".
> I think there is a misunderstanding here though, though I'm not 100%
> sure of my reading of the situation. It appears that though priv sep is
> on by default, for Cygwin, it is effectively off, as it cannot be
> implemented???

Privilege separation in OpenSSH consists of two independent parts, both
of which require AF_UNIX sockets.

The first part is transmission of peer credentials per the SO_PEERCRED
socket option.  This was relatively easy to implement.

The other part of privilege separation requires AF_UNIX sockets to allow
sending and receiving open file descriptors via the SCM_RIGHTS ancillary
data feature.  This does not work in Cygwin.

> DISABLE_FD_PASS is always set by autoconf for Cygwin. And my reading is
> that not having that capability effectively means whatever the other
> criteria, the executing process doesn't have sufficient "separation" of
> privilege to be treated in the same manner.

Yes, the parts of OpenSSH requiring descriptor passing are disabled in

> Otherwise, what's the solution?

Solution for what?  What is it you want to do?


More information about the Cygwin mailing list