On Apr 6 22:37, Achim Gratz wrote: > > I've got a new server for Cygwin @work and wanted to get the sshd to run > with StrictMode on (it's been off on the old server). Long story short, > some accounts used for administrative tasks are contrained so that I > need to store the authorized_keys file directly on the server, so I > added /etc/ssh/%u/authorized_keys in front of the default > .ssh/authorized_keys. Unfortunately that only works if the same > administrative account has been used to install Cygwin itself, lest sshd > declares the directory /etc/ssh unsafe (or use StrictMode=no).
What exactly doesn't work? If it's the ownership of the dirs and files, chown will do the trick, no? > I found > this patch that seems to address exactly the same situation: > > https://github.com/pierresouchay/cygwin_patches/blob/master/openssh.patch > > The code has since been refactored and a similar change would need to be > applied elsewhere. Interestingly enough there is some special handling > to _not_ check all the leading path components for the home directory > (otherwise it wouldn't work at all). In my reading of the refactored > code it seems that the same effect could be achieved by defining > PLATFORM_SYS_DIR_UID appropriately (although I would prefer if that was > configurable somewhere in a file). But it seems that for Cygwin that > symbol doesn't get defined at all? No, so far it's a special feature for AIX and HP/UX only. On these platforms certain dirs and files are owned by the bin user with uid 2. The problem on Cygwin is that we don't have a fixed uid owning the entire system paths. It always depends on the account used to create the system dirs, which can vary from installation to installation. What you could do is adding a passwd entry with uid 0 for the account installing Cygwin and make sure that the files are always owned by this account (chown). The only other way to fix this would be to define PLATFORM_SYS_DIR_UID to be a function call on Cygwin, which checks the account for... what? To be an admin account? That sounds quite relaxed, but I don't see any other way. Something like this in configure.ac: AC_DEFINE([PLATFORM_SYS_DIR_UID], cygwin_valid_sys_dir_owner(), [System dirs owned by admin account]) and a bit of extra code in openbsd-compat/bsd-cygwin_util.c along the lines of: /* return uid if uid is a valid system dir-owning uid */ cygwin_valid_sys_dir_owner (uid_t uid) { struct pw = getpwuid (uid); getgrouplist (pw->pw_name, pw->pw_gid, grplist, &ngroups); if (544 in grplist) return 1 return 0; } Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat
signature.asc
Description: PGP signature