sshd privsep user still required?
Bill Stewart
bstewart@iname.com
Tue Mar 12 22:21:00 GMT 2019
On Thu, 17 Jan 2019 Corinna Vinschen wrote:
> > Is the sshd disabled user account still required?
>
> No, actually it isn't. These days the sshd server checks if the
> the privsep chrrot environment should be used and that the process
> is started under "root:root". This never matches under Cygwin so
> we could drop the sshd user requirement.
So I was exploring using the ChrootDirectory setting in sshd_config to
configure a user as sftp only.
The following seems to work:
1) Run sshd service as SYSTEM
2) Specify SYSTEM as user 0 in /etc/passwd file; e.g.:
SYSTEM:*:0:18:U-NT AUTHORITY\SYSTEM,S-1-5-18:/var/empty:/bin/false
3) Create a local sshd user account
4) Update sshd_config settings to use something such as:
Match User sftponly
ChrootDirectory /home/%u
ForceCommand internal-sftp
This works.
If the sshd account is missing or disabled, I can't connect using the
sftponly user, so it would seem that the sshd account really is required.
I have three questions:
a) Why is it necessary to specify SYSTEM as user number 0 in the
/etc/password file?
b) Why is the sshd account required?
b) Why are /cygdrive and /dev directories visible when connecting using a
sftp client?
Thanks!
Bill
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
More information about the Cygwin
mailing list