This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: Possible Security Hole in SSHD w/ CYGWIN?
- From: Erik Soderquist <ErikSoderquist at gmail dot com>
- To: cygwin at cygwin dot com
- Date: Thu, 18 Feb 2016 12:10:36 -0500
- Subject: Re: Possible Security Hole in SSHD w/ CYGWIN?
- Authentication-results: sourceware.org; auth=none
- References: <CANnLRdhVrFcveO_jKb3_x=44WMJNO33DPnsJZ12Wus3U7Wo_fQ at mail dot gmail dot com> <019e01d163c2$d678c7e0$836a57a0$ at comcast dot net> <023901d165e4$925507d0$b6ff1770$ at comcast dot net> <87d1s1c8ld dot fsf at Rainer dot invalid> <CACoZoo3R4CDcgTMMex9QZ=Wh9a8CDvyUHpqj5+Br5xYFvGHvuQ at mail dot gmail dot com> <87a8n38t3r dot fsf at Rainer dot invalid> <CACoZoo3831x0PVOQ9j6zh+Q4EE4-LFNV7KQsgeyooPJmvM7qVA at mail dot gmail dot com> <20160215121101 dot GC7085 at calimero dot vinschen dot de> <003801d1693f$6a5d71a0$3f1854e0$ at comcast dot net> <20160217094335 dot GA5722 at calimero dot vinschen dot de> <20160218151257 dot GA14838 at calimero dot vinschen dot de>
On Thu, Feb 18, 2016 at 10:12 AM, Corinna Vinschen wrote:
<snip>>
> I implemented and tested the idea and it seems to work. Note that the
> underlying problem that we can't generate our own login session when using
> method 1 persists. However, the new code should avoid spilling cyg_server
> credentials into the user session.
>
> Please give the new Cygwin test release 2.5.0-0.4
> (https://cygwin.com/ml/cygwin-announce/2016-02/msg00023.html) a try.
I've installed the test release and am no longer able to reproduce the
issue; I get the expected "access denied" on all network shares as I
should on this test account. (pub key auth, no password stored with
"passwd -R")
:)
-- Erik
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple