This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Cygwin setup of sshd for non-administrators documentation?


The following message contains my findings regarding a working setup of
Cygwin of sshd for non-administrators -- a topic I would like to see
addressed in the official documentation, since no other source was found
(at least via Google) with conclusive information on the subject:

INTRODUCTION

Two often cited pages with guides for setting up sshd on Win32:

  http://pigtail.net/LRP/printsrv/cygwin-sshd.html
  http://ncyoung.com/entry/389

mention it to be necessary to make every user who wishes to gain access
via ssh/sftp a member of the Administrators group (!).

I did not find this subject covered in the Cygwin documentation, but it
seems urgent that this *is* covered by the documentation. Making all
users who access a W2K or WXP system member of the Administrators group
poses a security risk.

ANALYSIS

Users gain access to the Cygwin system via ssh/sftp as themselves with
the rights that were assigned to them in Win32 and in NTFS. Therefore
any problems that may occur are a result of either insufficient
permissions to access a file or folder or a result of not being the
owner of a folder that belongs to them.

After reinstalling cygwin several times and trial & error with changing
file and folder permissions and ownership I indeed found it that users
who are not member of the Administrators group can gain access via
ssh/sftp. However, this requires tweaking of the permissions and
ownership from a cygwin shell:

SOLUTION

1) user X must have a /home/X folder which they are owner of and with
rwx permissions for themselves.

  $ ls -l /home
  total 0
  drwx------+ 3 Administrator None 0 Oct 30 18:35 Administrator
  drwx------+ 2 X             None 0 Oct 30 18:40 X

2) users must have access to the passwd, group, profile and profile.d
file and folders in /etc. In fact I ended up giving full access rights
to users to all files and folders in /etc except the ssh* key and config
files

  $ ls -l etc
  total 204
  ...
  -rwxrwxr-x+ 1 Administrator Users     14 Oct 28 18:41 ftpusers
  -rwxrwxr-x+ 1 Administrator Users     49 Oct 28 18:41 ftpwelcome
  ...
  -rwxrwx---+ 1 Administrator Users   1692 Oct 29 18:39 group
  -rwxrwx---+ 1 Administrator Users   1385 Oct 29 18:38 passwd
  ...
  -rwxrwx---+ 1 Administrator Users   6530 Oct 28 18:41 profile
  drwxrwx---+ 2 Administrator Users      0 Oct 28 18:39 profile.d
  ...

3) Users need full access rights to execute the .exe files in /bin,
/usr/bin and /usr/sbin (it seems to me now that chmod 770 would have
been sufficient):

  $ ls -l /usr/sbin/
  total 897
  ...
  -rwxrwxrwx+ 1 Administrator Users  46592 Apr 19  2005 in.ftpd.exe
  ...
  -rwxrwxrwx+ 1 Administrator Users  29184 Jul  5 23:30 sftp-server.exe
  -rwxrwxrwx+ 1 Administrator Users 130048 Jul  5 23:30 ssh-keysign.exe
  -rwxrwxrwx+ 1 Administrator Users 267776 Jul  5 23:30 sshd.exe


POST SCRIPTUM

Please review the information under 1-3 and if this is useful I would
welcome the maintainers of cygwin to include something along these lines
in the documentation. Hopefully this saves some time for others who
apparently were looking for the same.

with best regards
Theo

-- 
Ericsson Research, Service Layer Technologies
KI/EAB/TGB,SE-164 80 Kista, Sweden


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]