sshd_config AllowStreamLocalForwarding perm off / effectively privsep off

Mon Aug 7 17:40:38 GMT 2023

On Aug 7 22:11, Shaddy Baddah via Cygwin wrote:
> Hi,
>> For the current OpenSSH server (9.3p2), AllowStreamLocalForwarding
> defaults on. That means both local and remote unix socket port
> portforwarding are possible.
>> For Cygwin, it appears the remote form of this is not possible. The
> following message is seen on the client-side, regardless of whether
> sshd_config explicitly defines AllowStreamLocalForwarding "on", or
> "all":
>> |Forwarding port.
> |debug1: Remote: Server has disabled streamlocal forwarding.
>> Finding the code around this, and a three(?) component conditional
> expression that "fails" into that message, I discovered that the
> reason it is not allowed is the following conditional:
>> |		 (pw->pw_uid != 0 && !use_privsep)) {
>> and to my surprise, after compiling a debug version of sshd to discover
> this conditional, it turns out that use_privsep is set to zero (0).
>> I've been around the Cygwin community for many years, and I remember
> the time when ssh-host-config prompted for priv sep, and the creation
> of the "sshd" local user.
>> I remember the transition when that prompt was removed, and reading that
> priv sep was now "on permanently".
>> I think there is a misunderstanding here though, though I'm not 100%
> sure of my reading of the situation. It appears that though priv sep is
> on by default, for Cygwin, it is effectively off, as it cannot be
> implemented???

Privilege separation in OpenSSH consists of two independent parts, both
of which require AF_UNIX sockets.
The first part is transmission of peer credentials per the SO_PEERCRED
socket option. This was relatively easy to implement.
The other part of privilege separation requires AF_UNIX sockets to allow
sending and receiving open file descriptors via the SCM_RIGHTS ancillary
data feature. This does not work in Cygwin.
> DISABLE_FD_PASS is always set by autoconf for Cygwin. And my reading is
> that not having that capability effectively means whatever the other
> criteria, the executing process doesn't have sufficient "separation" of
> privilege to be treated in the same manner.

Yes, the parts of OpenSSH requiring descriptor passing are disabled in
OpenSSH.
> Otherwise, what's the solution?

Solution for what? What is it you want to do?
Corinna