Openssh for Windows

Corinna Vinschen vinschen at redhat.com
Tue Jul 29 18:36:11 EST 2008


On Jul 28 10:45, Ben Lindstrom wrote:
> If it was me I'd look at the VanDyke solution.  One could prototype using 
> Cygwin, but..  Well, I've been too close to the patches that flowed in for 
> OpenSSH support and some of them still cause me nightmares (Sorry 
> Corinna.. I know they are needed, but still doesn't make me comfortable 
> =).

Which ones?

The file system related tests?  The default installation on an NTFS
drive will use all security it can get.  The extra code is just
necessary for users who install on FAT or FAT32 with no security at all,
or users who explicitely switched off all permission checking.  And then
there are still Windows 95/98/Me users out there, hard as it is to
imagine it...

The disabled root user tests?  There's no such thing as a single user
with uid 0 having the necessary rights to run OpenSSH and switch the
user context on Windows.  I already suggested more than once in the last
years to replace the `if (pw_uid == 0)'-like tests in OpenSSH with a OS
dependent function call.  On Cygwin (well, Windows) this would mean to
check for specific user rights as the right to act on behave of the
operating system, stuff like that.  On most POSIX systems that would be
a simple test for uid 0.  I even created a patch for this but
unfortunately it hasn't been accepted.

The disabled test for being able to revert a seteuid in
permanently_drop_suid?  That's something I have no control over.
Windows NT has a means to do that, but that function was never intended
to be called by a Win32 process to switch its own user token permanently
and it doesn't work as expected.  I tried to use it but I never got it
working on some OS versions.  Eventually Microsoft disabled this
function entirely when called from a Win32 process starting with Windows
Vista.  Interix OTOH may call this function because it's not a Win32
process like Cygwin but an entirely different subsystem.
However, that's really not a problem.  When the user process is started
by sshd, this *is* done by a function call which actually switches the
the user token permanently (CreateProcessAsUser).  There's no way for
the user process to re-gain root privileges anymore.

Anything else?


Corinna

-- 
Corinna Vinschen
Cygwin Project Co-Leader
Red Hat


More information about the openssh-unix-dev mailing list