Web lists-archives.com

Re: openssh: privilege separation no longer supported on Cygwin?




On 29/05/2017 07:23, Houder wrote:
Hi,

Privilege separation in sshd defaults to "sandbox" (as far as
I understand, "openssh" has implemented a new mechanism).

... now I remember Corinna writing, that 'sandbox will not be
an option for Cygwin' ... or words to that effect.

Does this mean, that under Cygwin, privilege separation is no
longer possible?

... because, that is, I think, what I am seeing:

 - the userid of child sshd is still 'cyg_server' ...
 - and I get an elevated shell when I login ...

Not what I expected ...

Gr. Henri


Hi Houder,
please read the last Announcement

https://sourceware.org/ml/cygwin-announce/2017-03/msg00028.html

* This release deprecates the sshd_config UsePrivilegeSeparation
   option, thereby making privilege separation mandatory. Privilege
   separation has been on by default for almost 15 years and
   sandboxing has been on by default for almost the last five.


It seems you misunderstood the communication:
- the possibility to NOT use "privilege separation" is deprecated
- "privilege separation" will became mandatory

Regards
Marco


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple