openssh AuthorizedKeysFile
Corinna Vinschen
corinna-cygwin@cygwin.com
Mon Apr 9 10:59:00 GMT 2018
On Apr 9 09:52, Corinna Vinschen wrote:
> On Apr 6 22:37, Achim Gratz wrote:
> >
> > I've got a new server for Cygwin @work and wanted to get the sshd to run
> > with StrictMode on (it's been off on the old server). Long story short,
> > some accounts used for administrative tasks are contrained so that I
> > need to store the authorized_keys file directly on the server, so I
> > added /etc/ssh/%u/authorized_keys in front of the default
> > .ssh/authorized_keys. Unfortunately that only works if the same
> > administrative account has been used to install Cygwin itself, lest sshd
> > declares the directory /etc/ssh unsafe (or use StrictMode=no).
>
> What exactly doesn't work? If it's the ownership of the dirs and
> files, chown will do the trick, no?
>
> > In my reading of the refactored
> > code it seems that the same effect could be achieved by defining
> > PLATFORM_SYS_DIR_UID appropriately (although I would prefer if that was
> > configurable somewhere in a file). But it seems that for Cygwin that
> > symbol doesn't get defined at all?
>
> No, so far it's a special feature for AIX and HP/UX only. On these
> platforms certain dirs and files are owned by the bin user with uid 2.
>
> The problem on Cygwin is that we don't have a fixed uid owning the
> entire system paths. It always depends on the account used to create
> the system dirs, which can vary from installation to installation. What
> you could do is adding a passwd entry with uid 0 for the account
> installing Cygwin and make sure that the files are always owned by this
> account (chown).
>
> The only other way to fix this would be to define PLATFORM_SYS_DIR_UID
> to be a function call on Cygwin, which checks the account for... what?
> To be an admin account? That sounds quite relaxed, but I don't see
> any other way.
>
> Something like this [...]
Please try if this patch to openssh will do the trick for you. I only
tested that it builds, but not if it works as desired.
From 6b493f7e9f5ab7c64fa56c84ea727d3d06a12c0f Mon Sep 17 00:00:00 2001
From: Corinna Vinschen <vinschen@redhat.com>
Date: Mon, 9 Apr 2018 12:56:31 +0200
Subject: [PATCH] cygwin: add function call to provide OS-specific
PLATFORM_SYS_DIR_UID
---
configure.ac | 1 +
openbsd-compat/bsd-cygwin_util.c | 25 +++++++++++++++++++++++++
openbsd-compat/bsd-cygwin_util.h | 1 +
3 files changed, 27 insertions(+)
diff --git a/configure.ac b/configure.ac
index 663062bef142..a5f68c367c92 100644
--- a/configure.ac
+++ b/configure.ac
@@ -626,6 +626,7 @@ case "$host" in
file descriptor passing])
AC_DEFINE([SSH_IOBUFSZ], [65535], [Windows is sensitive to read buffer size])
AC_DEFINE([FILESYSTEM_NO_BACKSLASH], [1], [File names may not contain backslash characters])
+ AC_DEFINE([PLATFORM_SYS_DIR_UID], cygwin_valid_sys_dir_owner(uid), [System dirs owned by admin account])
# Cygwin defines optargs, optargs as declspec(dllimport) for historical
# reasons which cause compile warnings, so we disable those warnings.
OSSH_CHECK_CFLAG_COMPILE([-Wno-attributes])
diff --git a/openbsd-compat/bsd-cygwin_util.c b/openbsd-compat/bsd-cygwin_util.c
index 398a5f617af5..0f5bb1a4448a 100644
--- a/openbsd-compat/bsd-cygwin_util.c
+++ b/openbsd-compat/bsd-cygwin_util.c
@@ -33,6 +33,7 @@
#ifdef HAVE_CYGWIN
#include <sys/types.h>
+#include <grp.h>
#include <fcntl.h>
#include <string.h>
#include <unistd.h>
@@ -116,4 +117,28 @@ free_windows_environment(char **p)
free(p);
}
+/* Check if current account is administrative account (aka member of
+ * group 544 "Administrators")
+ */
+uid_t
+cygwin_valid_sys_dir_owner(uid_t uid)
+{
+ int ngrps = 0;
+ gid_t *grps = NULL;
+ struct passwd *pw;
+
+ pw = getpwuid(uid);
+ if (!pw)
+ return 0;
+
+ if (getgrouplist(pw->pw_name, pw->pw_gid, grps, &ngrps) < 0) {
+ grps = (gid_t *) alloca(sizeof (gid_t) * ngrps);
+ if (getgrouplist(pw->pw_name, pw->pw_gid, grps, &ngrps) < 0)
+ return 0;
+ while (--ngrps >= 0)
+ if (grps[ngrps] == 544)
+ return uid;
+ }
+ return 0;
+}
#endif /* HAVE_CYGWIN */
diff --git a/openbsd-compat/bsd-cygwin_util.h b/openbsd-compat/bsd-cygwin_util.h
index 9cef694b9a7c..e2d53f47defe 100644
--- a/openbsd-compat/bsd-cygwin_util.h
+++ b/openbsd-compat/bsd-cygwin_util.h
@@ -44,6 +44,7 @@ typedef void *HANDLE;
windows headers, so we have to define them here explicitely. */
extern HANDLE cygwin_logon_user (const struct passwd *, const char *);
extern void cygwin_set_impersonation_token (const HANDLE);
+extern uid_t cygwin_valid_sys_dir_owner(uid_t uid);
#include <sys/cygwin.h>
#include <io.h>
--
2.14.3
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Maintainer cygwin AT cygwin DOT com
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://cygwin.com/pipermail/cygwin-apps/attachments/20180409/c7491ca9/attachment.sig>
More information about the Cygwin-apps
mailing list