sshd_config AllowStreamLocalForwarding perm off / effectively privsep off
Corinna Vinschen
corinna-cygwin@cygwin.com
Mon Aug 7 17:40:38 GMT 2023
On Aug 7 22:11, Shaddy Baddah via Cygwin wrote:
> Hi,
>
> For the current OpenSSH server (9.3p2), AllowStreamLocalForwarding
> defaults on. That means both local and remote unix socket port
> portforwarding are possible.
>
> For Cygwin, it appears the remote form of this is not possible. The
> following message is seen on the client-side, regardless of whether
> sshd_config explicitly defines AllowStreamLocalForwarding "on", or
> "all":
>
> |Forwarding port.
> |debug1: Remote: Server has disabled streamlocal forwarding.
>
> Finding the code around this, and a three(?) component conditional
> expression that "fails" into that message, I discovered that the
> reason it is not allowed is the following conditional:
>
> | (pw->pw_uid != 0 && !use_privsep)) {
>
> and to my surprise, after compiling a debug version of sshd to discover
> this conditional, it turns out that use_privsep is set to zero (0).
>
> I've been around the Cygwin community for many years, and I remember
> the time when ssh-host-config prompted for priv sep, and the creation
> of the "sshd" local user.
>
> I remember the transition when that prompt was removed, and reading that
> priv sep was now "on permanently".
>
> I think there is a misunderstanding here though, though I'm not 100%
> sure of my reading of the situation. It appears that though priv sep is
> on by default, for Cygwin, it is effectively off, as it cannot be
> implemented???
Privilege separation in OpenSSH consists of two independent parts, both
of which require AF_UNIX sockets.
The first part is transmission of peer credentials per the SO_PEERCRED
socket option. This was relatively easy to implement.
The other part of privilege separation requires AF_UNIX sockets to allow
sending and receiving open file descriptors via the SCM_RIGHTS ancillary
data feature. This does not work in Cygwin.
> DISABLE_FD_PASS is always set by autoconf for Cygwin. And my reading is
> that not having that capability effectively means whatever the other
> criteria, the executing process doesn't have sufficient "separation" of
> privilege to be treated in the same manner.
Yes, the parts of OpenSSH requiring descriptor passing are disabled in
OpenSSH.
> Otherwise, what's the solution?
Solution for what? What is it you want to do?
Corinna
More information about the Cygwin
mailing list