Re: sshd_config AllowStreamLocalForwarding perm off / effectively privsep off

[Shaddy Baddah via Cygwin]

Hi,

On 8/08/2023 3:40 am, Corinna Vinschen via Cygwin wrote:

On Aug  7 22:11, Shaddy Baddah via Cygwin wrote:

..



Yes, the parts of OpenSSH requiring descriptor passing are disabled in
OpenSSH.


Otherwise, what's the solution?


Solution for what?  What is it you want to do?


Reverse unix socket forwarding. Like this:

|~aC
|ssh> -R /tmp/p2:/tmp/p1
|Forwarding port.
|debug1: Remote: Server has disabled streamlocal forwarding.

Despite configuration and documentation, this can never work on Cygwin.

And I was looking to what an agreeable patch for OpenSSH might be. But
if I have read the situation right, by policy, there cannot be one for
Cygwin.

I do have a workaround, but it's suboptimal.

--
Regards,
Shaddy

--
Problem reports:  https://cygwin.com/problems.html
FAQ:  https://cygwin.com/faq/
Documentation:https://cygwin.com/docs.html
Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple

Re: sshd_config AllowStreamLocalForwarding perm off / effectively privsep off

[Corinna Vinschen via Cygwin]

On Aug  7 22:11, Shaddy Baddah via Cygwin wrote:
> Hi,
> 
> For the current OpenSSH server (9.3p2),  AllowStreamLocalForwarding
> defaults on. That means both local and remote unix socket port
> portforwarding are possible.
> 
> For Cygwin, it appears the remote form of this is not possible. The
> following message is seen on the client-side, regardless of whether
> sshd_config explicitly defines AllowStreamLocalForwarding "on", or
> "all":
> 
> |Forwarding port.
> |debug1: Remote: Server has disabled streamlocal forwarding.
> 
> Finding the code around this, and a three(?) component conditional
> expression that "fails" into that message, I discovered that the
> reason it is not allowed is the following conditional:
> 
> | (pw->pw_uid != 0 && !use_privsep)) {
> 
> and to my surprise, after compiling a debug version of sshd to discover
> this conditional, it turns out that use_privsep is set to zero (0).
> 
> I've been around the Cygwin community for many years, and I remember
> the time when ssh-host-config prompted for priv sep, and the creation
> of the "sshd" local user.
> 
> I remember the transition when that prompt was removed, and reading that
> priv sep was now "on permanently".
> 
> I think there is a misunderstanding here though, though I'm not 100%
> sure of my reading of the situation. It appears that though priv sep is
> on by default, for Cygwin, it is effectively off, as it cannot be
> implemented???

Privilege separation in OpenSSH consists of two independent parts, both
of which require AF_UNIX sockets.

The first part is transmission of peer credentials per the SO_PEERCRED
socket option.  This was relatively easy to implement.

The other part of privilege separation requires AF_UNIX sockets to allow
sending and receiving open file descriptors via the SCM_RIGHTS ancillary
data feature.  This does not work in Cygwin.

> DISABLE_FD_PASS is always set by autoconf for Cygwin. And my reading is
> that not having that capability effectively means whatever the other
> criteria, the executing process doesn't have sufficient "separation" of
> privilege to be treated in the same manner.

Yes, the parts of OpenSSH requiring descriptor passing are disabled in
OpenSSH.

> Otherwise, what's the solution?

Solution for what?  What is it you want to do?


Corinna

-- 
Problem reports:  https://cygwin.com/problems.html
FAQ:  https://cygwin.com/faq/
Documentation:https://cygwin.com/docs.html
Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple