This is the mail archive of the
mailing list for the Cygwin project.
Re: Possible Security Hole in SSHD w/ CYGWIN?
- From: Achim Gratz <Stromeko at NexGo dot DE>
- To: cygwin at cygwin dot com
- Date: Tue, 9 Feb 2016 07:52:58 +0000 (UTC)
- Subject: Re: Possible Security Hole in SSHD w/ CYGWIN?
- Authentication-results: sourceware.org; auth=none
- References: <016c01d16305$252c94c0$6f85be40$ at comcast dot net>
David Willis <david_willis <at> comcast.net> writes:
> To reproduce, connect via SSH (from either a Linux or CYGWIN/Windows client)
> to a CYGWIN-based SSHD server using a normal privileged user account (an
> account preferably that is not an admin either on the client or server
> machine). Once connected to the Windows SSHD server, CD to a UNC path of a
> network share. Once CD'd to that path, check Computer Management on that
> server, and go to Shares->Open Sessions, and you will see that the user
> connected is the privileged SSHD server account (and it will obviously show
> as being connected from the machine you are SSH'd into).
Did you read https://cygwin.com/cygwin-ug-net/ntsec.html, configured sshd
and the user accounts correctly and are logging in with a password using
either of the methods described?
FWIW, I'm seeing the connected user as the one that I logged into via ssh.
In fact the sshd user account doesn't have any network access rights anyway,
so I couldn't connect to any network share if that acount would be used.
Problem reports: http://cygwin.com/problems.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple