Call for testing: OpenSSH 7.5p1

Wed Mar 15 22:32:49 AEDT 2017

On Mar 14 21:40, Damien Miller wrote:
> Hi,
> 
> OpenSSH 7.5p1 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a bugfix release.
> [...]
> Potentially-incompatible changes
> ================================
> 
> This release includes a number of changes that may affect existing
> configurations:
> 
>  * This release deprecates the sshd_config UsePrivilegeSeparation
>    option, thereby making privilege separation mandatory. Privilege
>    separation has been on by default for almost 15 years.

Today's code from the git repo with UsePrivilegeSeparation option
removed tested on Cygwin.  It compiles OOTB and the testsuite runs
successfully.

However, the removal of UsePrivilegeSeparation requires a patch to
Cygwin's ssh-host-config script.  Patch attached.


Thanks,
Corinna

-- 
Corinna Vinschen
Cygwin Maintainer
Red Hat
-------------- next part --------------
From beb8cf663a6a9183c82c7a78c62ee17512e02184 Mon Sep 17 00:00:00 2001
From: Corinna Vinschen <vinschen at redhat.com>
Date: Wed, 15 Mar 2017 11:10:23 +0100
Subject: [PATCH] Remove handling of deprecated UsePrivilegeSeparation from
 Cygwin install script

Signed-off-by: Corinna Vinschen <vinschen at redhat.com>
---
 contrib/cygwin/ssh-host-config | 43 +++++++++---------------------------------
 1 file changed, 9 insertions(+), 34 deletions(-)

diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config
index d934d09..db6aaa0 100644
--- a/contrib/cygwin/ssh-host-config
+++ b/contrib/cygwin/ssh-host-config
@@ -63,7 +63,6 @@ sshd_config_configured=no
 port_number=22
 service_name=sshd
 strictmodes=yes
-privsep_used=yes
 cygwin_value=""
 user_account=
 password_value=
@@ -140,33 +139,21 @@ sshd_strictmodes() {
 
 # ======================================================================
 # Routine: sshd_privsep
-#  MODIFIES: privsep_used
+# Try to create ssshd user account
 # ======================================================================
 sshd_privsep() {
   local ret=0
 
   if [ "${sshd_config_configured}" != "yes" ]
   then
-    echo
-    csih_inform "Privilege separation is set to 'sandbox' by default since"
-    csih_inform "OpenSSH 6.1.  This is unsupported by Cygwin and has to be set"
-    csih_inform "to 'yes' or 'no'."
-    csih_inform "However, using privilege separation requires a non-privileged account"
-    csih_inform "called 'sshd'."
-    csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
-    if csih_request "Should privilege separation be used?"
+    if ! csih_create_unprivileged_user sshd
     then
-      privsep_used=yes
-      if ! csih_create_unprivileged_user sshd
-      then
-	csih_error_recoverable "Couldn't create user 'sshd'!"
-	csih_error_recoverable "Privilege separation set to 'no' again!"
-	csih_error_recoverable "Check your ${SYSCONFDIR}/sshd_config file!"
-	let ++ret
-	privsep_used=no
-      fi
-    else
-      privsep_used=no
+      csih_error_recoverable "Could not create user 'sshd'!"
+      csih_error_recoverable "You will not be able to run an sshd service"
+      csih_error_recoverable "under a privileged account successfully."
+      csih_error_recoverable "Make sure to create a non-privileged user 'sshd'"
+      csih_error_recoverable "manually before trying to run the service!"
+      let ++ret
     fi
   fi
   return $ret
@@ -202,18 +189,6 @@ sshd_config_tweak() {
       let ++ret
     fi
   fi
-  if [ "${sshd_config_configured}" != "yes" ]
-  then
-    /usr/bin/sed -i -e "
-      s/^#\?UsePrivilegeSeparation .*/UsePrivilegeSeparation ${privsep_used}/" \
-      ${SYSCONFDIR}/sshd_config
-    if [ $? -ne 0 ]
-    then
-      csih_warning "Setting privilege separation failed!"
-      csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
-      let ++ret
-    fi
-  fi
   return $ret
 } # --- End of sshd_config_tweak --- #
 
@@ -693,7 +668,7 @@ then
   fi
 fi
 
-# handle sshd_config (and privsep)
+# handle sshd_config
 csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt
 if ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
 then
-- 
2.9.3

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20170315/659745e9/attachment.bin>
