[cvsnt] Reported author problem running cvsnt with cygwin/sshd on Windows Server 2003.

Tony Hoyle tony.hoyle at march-hare.com
Thu Oct 5 14:56:03 BST 2006


Dwight Schauer wrote:
> The user for cgywin sshd on ws2k3 defaults to "sshd_server", not "SYSTEM".
> In order for key based password-less logins to work on ws2k3 sygwin/sshd, a
> user other than "SYSTEM" must be used. Vista has the same issue, but I 
> don't
> plan be running my cvsnt server on Vista any time soon.

Cygwin just need to use a proper LSA library in the same way that cvsnt 
does it (in fact there's nothing to stop them using the CVSNT one 
really).  I'm very surprised they got the old method to work at all in 
vista - MS are supposed to have removed the undocumentated APIs from the 
public interface.

This was a solved problem years ago - it's not a cvsnt issue.

> If it were up to me (and I know it is not) I'd rather see the GetUserNameA
> call removed all together, and the user name gotten from the environment 
> all
> the time, but there may be other reasons why GetUserNameA is is being used.

That would be a security breach.  You can't just have any username in 
there because you can't trust the environment in which the server runs. 
  It's very difficult to start something as SYSTEM unless you're already 
the administrator, so in that case you have a (limited) trust of the 
environment.  For any other user that is not guaranteed to be true.

In the same way 'sshd_server' is not a guaranteed secure user and cannot 
be safely added as an exception.

Tony


More information about the cvsnt mailing list