SSH and Cygwin

[Stephen C. Biggs]

Greetings all.

I have a few issues running SSHD under cygwin.

I have got it mostly to work and it looks good, but there are at least two security issues that I am concerned about.

The first is when someone accesses my SSH server, the server sends back an environment that includes LOGONSERVER, HOMEDRIVE, 
HOMEPATH, SYSTEMDRIVE, and SYSTEMROOT. 

Since this is to a remote client, I do not want them to know any of the details of my server, and this lays it wide open.  Is there a way to 
stop these environment variables from being exported to the remote client?  I am putting users in a chroot jail (more about that below) and 
even though I unset these variables in the script, they still get set on the client.   

Another related issue is that I have a different computer name from the name that remote clients use and wish to have the public name 
sent back in the environment variables such as USERDOMAIN and HOSTNAME.  Right now, I reset them to what I want in the profile I 
execute as part of the chroot. Is this the only way to do it?  Running cygrunsrv with -e "USERDOMAIN=publicname" has no effect, but it 
works for COMPUTERNAME.

As to the chroot issue, I went with the procedure in 
http://sources.redhat.com/ml/cygwin/2002-07/msg02070.html but fleshed it out 
so it would work, and it does, but a disturbing issue is that when a remote client logs on, I have to have a globally accessible home 
directory in my /etc/passwd file and have that directory exist. Then, the server places the client in that home directory before the script 
can get control to chroot to the jail.  This is a millisecond security issue but still a window.

Thanks for any assistance.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/