search for: check_ntsec

Hi, I have added calls to `check_ntsec()' to the code which checks for the ownership and modes of identity files and directories. As you might know, check_ntsec() tests if owner/modes are supported by the OS (9x/ME=no, NT/W2K=yes), the filesystem (FAT/FAT32=no, NTFS=yes) and the current Cygwin settings (ntea/ntsec). Corinna Index:...

...=================================== RCS file: /cvs/openssh_cvs/openbsd-compat/bsd-cygwin_util.c,v retrieving revision 1.5 diff -u -p -r1.5 bsd-cygwin_util.c --- openbsd-compat/bsd-cygwin_util.c 2001/07/18 16:19:49 1.5 +++ openbsd-compat/bsd-cygwin_util.c 2001/11/20 12:44:23 @@ -139,4 +139,26 @@ int check_ntsec(const char *filename) return 0; } +void register_9x_service(void) +{ + HINSTANCE kerneldll; + DWORD (*RegisterServiceProcess)(DWORD, DWORD); + + /* The service register mechanism in 9x/Me is pretty different from + * NT/2K/XP. In NT/2K/XP we're using a special service start...

OpenSSH 3.4 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. We would like to thank the OpenSSH community for their continued support and encouragement. Changes since OpenSSH 3.3: ============================

...l requsts for changing the user context if another - * authentication method is used. - * This may change in future when a special openssh - * subauthentication package is available. - */ - if (is_winnt && !pwd_authenticated && geteuid() != uid) - return 0; - - return 1; -} - int check_ntsec(const char *filename) { char *cygwin; Index: openbsd-compat/bsd-cygwin_util.h =================================================================== RCS file: /cvs/openssh_cvs/openbsd-compat/bsd-cygwin_util.h,v retrieving revision 1.4 diff -u -p -r1.4 bsd-cygwin_util.h --- openbsd-compat/bsd-cygwin...

...(major_high == 1 && (major_low > 3 || + (major_low == 3 && minor >= 2)))) + has_create_token = 1; + } + } + if (has_create_token < 1 && + !pwd_authenticated && geteuid() != uid) + return 0; + } return 1; } @@ -82,12 +108,9 @@ int check_ntsec(const char *filename) return 0; /* Evaluate current CYGWIN settings. */ - if ((cygwin = getenv("CYGWIN")) != NULL) { - if (strstr(cygwin, "ntea") && !strstr(cygwin, "nontea")) - allow_ntea = 1; - if (strstr(cygwin, "ntsec") && !strs...

...says "It is recommended that your private key files are NOT accessible by others." but appears to implement somewhat more than a `recommendation' !) Is this bug intended as a feature ? [ :-) ] I can see no code to disable this test [ other than setting HAVE_CYGWIN and writing a check_ntsec() which returns FALSE :-) ]

...-0000 1.5 +++ openbsd-compat/bsd-cygwin_util.h 18 Dec 2001 19:07:14 -0000 @@ -24,7 +24,7 @@ int binary_open(const char *filename, int flags, ...); int binary_pipe(int fd[2]); -int check_nt_auth(int pwd_authenticated, uid_t uid); +int check_nt_auth(int pwd_authenticated, struct passwd *pw); int check_ntsec(const char *filename); void register_9x_service(void); -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com

...TOKEN) && + (ntsec_on(cygwin) || + (has_capability(HAS_NTSEC_BY_DEFAULT) && + !ntsec_off(cygwin)))) + has_create_token = 1; } if (has_create_token < 1 && !pwd_authenticated && geteuid() != pw->pw_uid) @@ -128,7 +174,9 @@ int check_ntsec(const char *filename) /* Evaluate current CYGWIN settings. */ cygwin = getenv("CYGWIN"); allow_ntea = ntea_on(cygwin); - allow_ntsec = ntsec_on(cygwin); + allow_ntsec = ntsec_on(cygwin) || + (has_capability(HAS_NTSEC_BY_DEFAULT) && + !ntsec_off(cygwin)); /...

On Wed, 20 Feb 2019 at 23:54, Corinna Vinschen <vinschen at redhat.com> wrote: > The previous revert enabled case-insensitive user names again. This > patch implements the case-insensitive user and group name matching. > To allow Unicode chars, implement the matcher using wchar_t chars in > Cygwin-specific code. Keep the generic code changes as small as possible. > Cygwin:

...TOKEN) && + (ntsec_on(cygwin) || + (has_capability(HAS_NTSEC_BY_DEFAULT) && + !ntsec_off(cygwin)))) + has_create_token = 1; } if (has_create_token < 1 && !pwd_authenticated && geteuid() != pw->pw_uid) @@ -128,7 +174,9 @@ int check_ntsec(const char *filename) /* Evaluate current CYGWIN settings. */ cygwin = getenv("CYGWIN"); allow_ntea = ntea_on(cygwin); - allow_ntsec = ntsec_on(cygwin); + allow_ntsec = ntsec_on(cygwin) || + (has_capability(HAS_NTSEC_BY_DEFAULT) && + !ntsec_off(cygwin)); /...

Attached is a patch which adds a new config option, AuthOrder2, to sshd_config.c. The syntax is: AuthOrder2 AuthMethod1[:SubAuthMethod1[:SubAuthMethod2...]][,AuthMethod2...] An example, requiring users to enter a public key _and_ a password, in that order: AuthOrder2 publickey:password The current default behaviour: AuthOrder2 password,publickey,keyboard-interactive Require a public key,

...-- authfile.c.orig Thu Nov 27 15:01:01 2003 +++ authfile.c Thu Nov 27 16:50:39 2003 @@ -496,7 +496,7 @@ } static int -key_perm_ok(int fd, const char *filename) +key_perm_ok(int fd, const char *filename, int group_private_key) { struct stat st; @@ -510,7 +510,10 @@ #ifdef HAVE_CYGWIN if (check_ntsec(filename)) #endif - if ((st.st_uid == getuid()) && (st.st_mode & 077) != 0) { + if ((!group_private_key + && (st.st_uid == getuid()) && (st.st_mode & 077) != 0) + || (group_private_key && (st.st_uid == getuid() + || st.st_gid == getgid()) &&a...

...return -1; /* Negative */ else diff --git a/openbsd-compat/bsd-cygwin_util.h b/openbsd-compat/bsd-cygwin_util.h index 202c055dbae7..55c5a5b81b44 100644 --- a/openbsd-compat/bsd-cygwin_util.h +++ b/openbsd-compat/bsd-cygwin_util.h @@ -55,6 +55,7 @@ int binary_open(const char *, int , ...); int check_ntsec(const char *); char **fetch_windows_environment(void); void free_windows_environment(char **); +int cygwin_ug_match_pattern_list(const char *, const char *); #ifndef NO_BINARY_OPEN #define open binary_open diff --git a/servconf.c b/servconf.c index 4fa896fd4576..2365e15bca93 100644 --- a/serv...

Hi, OpenSSH 5.9 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This release contains a couple of new features and changes and bug fixes. Testing of the new sandboxed privilege separation mode (see below) would be particularly appreciated. Snapshot releases for portable OpenSSH are available from http://www.mindrot.org/openssh_snap/ The