DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:reply-to:subject:references:to:from:message-id
	:date:mime-version:in-reply-to:content-type
	:content-transfer-encoding; q=dns; s=default; b=mDzsZW9nHtQKiYHx
	ZD3vcz0t7/25P8p47p5yy6CnjIxreQnJbLGXDamIh8c2Q8Sy9xRsu3/FHc9bcmRa
	DcdnDc9r9/KQM9CpooFZlPdQwk61kyWXqj99fF6EroO7lo0D9TFP5BrKkoNihDr5
	Vr9K8/h+wXbfjNx1Lfdd4CvS6RU=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Reply-To: cygwin AT cygwin DOT com
Subject: Re: openssh: privilege separation no longer supported on Cygwin? SURPRISE!
References: <d436698bbd53eef3cbdda788d4926109 AT xs4all DOT nl> <37b863f6-ce5c-ef13-569f-8044fe485075 AT gmail DOT com> <20e2702ca3837f5d54c558f8e786c717 AT xs4all DOT nl> <b16023ad6735108510ae351a8378a420 AT xs4all DOT nl> <262615c8cf6e134cedf97b0280c4a68f AT smtp-cloud2 DOT xs4all DOT net>
To: cygwin AT cygwin DOT com
From: "Larry Hall (Cygwin)" <reply-to-list-only-lh AT cygwin DOT com>
Message-ID: <592E1C49.6020202@cygwin.com>
Date: Tue, 30 May 2017 21:28:41 -0400
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:38.0) Gecko/20100101 Thunderbird/38.1.0
MIME-Version: 1.0
In-Reply-To: <262615c8cf6e134cedf97b0280c4a68f@smtp-cloud2.xs4all.net>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit

On 05/30/2017 09:50 AM, Houder wrote:
> On Mon, 29 May 2017 19:14:30, Houder wrote:
>
> [snip]
>> As if the "sshd" account is NEVER, NEVER used during the _whole_ process
>> (that is, there is NO privilege separation, as far as I can tell).
>
> .. wanted to share this experience with you.
>
>   - deleted user/account 'sshd' # net user sshd /delete
>   - modified the last part (rid?) of the sid belonging to user/account 'sshd'
>     in xxxx (in /etc/passwd)
>   - rebooted
>
> Before reboot, I changed 'sshd' in an automatic service (was: manual)
>
> After the system had rebooted:
>
>   - 'cygrunsrv -Q sshd' shows 'sshd' running ...
>   - 'tail -f /var/log/sshd.log' shows 'sshd' listening ...
>   - 'net user' shows user/account 'sshd' gone ...
>
> I can still use ssh ... (both password authentication and key authentication)
>
> Yes, if I remove user/account 'sshd' completely from /etc/passwd, only
> then 'sshd' won't start ...

Cygwin's link to the Windows user ID is through the UID/SID mapping.  In
your case, you're apparently using /etc/passwd and so that's where the
mapping happens.  You can map the UID of a Cygwin user to any valid Windows
SID by editing the SID as you did.  This doesn't change how things look in
the Cygwin environment (i.e. the UID and user name are still the same) but
it does make a difference to Windows.  So the fact that you can change the
SID for the 'sshd' user and still get it to run is not all that surprising,
assuming that the new Windows SID that you're using as 'sshd' now has at
least similar permissions.  Of course, if you remove Cygwin's understanding
of 'sshd' so that it can't do the mapping of UID to SID or even have a
valid UID, then subsequent problems are not unexpected.


-- 
Larry

_____________________________________________________________________

A: Yes.
 > Q: Are you sure?
 >> A: Because it reverses the logical flow of conversation.
 >>> Q: Why is top posting annoying in email?

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple