在尝试解决在 Windows 8.1 上使用 Cygwin + SSH 的一些问题时,我想知道为什么脚本ssh-host-config会创建二新账户从头开始配置 OpenSSH?(这有必要吗?)
这两个帐户是:cyg_server和sshd,当使用默认选择 + 特权升级和服务安装时。我知道第一个仅用于启动 Cygwin SSHd 服务,但我不明白第二个的功能。我搜索了 Cygwin 档案,唯一的开发人员解释是“因为它是设计为这样做的”。还建议不要使用这些进行实际登录。
这是我的安装:
-----------------------------------------------------------
ssh-keygen: generating new host keys: RSA1 RSA DSA ECDSA ED25519
*** Info: Creating default /etc/ssh_config file
*** Info: Creating default /etc/sshd_config file
*** Info: Privilege separation is set to yes by default since OpenSSH 3.3.
*** Info: However, this requires a non-privileged account called 'sshd'.
*** Info: For more info on privilege separation read /usr/share/doc/openssh/README.privsep.
*** Query: Should privilege separation be used? (yes/no) yes
*** Info: Note that creating a new user requires that the current account have
*** Info: Administrator privileges. Should this script attempt to create a
*** Query: new local account 'sshd'? (yes/no) yes
*** Info: Updating /etc/sshd_config file
*** Query: Do you want to install sshd as a service?
*** Query: (Say "no" if it is already installed as a service) (yes/no) yes
*** Query: Enter the value of CYGWIN for the daemon: []
*** Info: On Windows Server 2003, Windows Vista, and above, the
*** Info: SYSTEM account cannot setuid to other users -- a capability
*** Info: sshd requires. You need to have or to create a privileged
*** Info: account. This script will help you do so.
*** Info: You appear to be running Windows XP 64bit, Windows 2003 Server,
*** Info: or later. On these systems, it's not possible to use the LocalSystem
*** Info: account for services that can change the user id without an
*** Info: explicit password (such as passwordless logins [e.g. public key
*** Info: authentication] via sshd).
*** Info: If you want to enable that functionality, it's required to create
*** Info: a new account with special privileges (unless a similar account
*** Info: already exists). This account is then used to run these special
*** Info: servers.
*** Info: Note that creating a new user requires that the current account
*** Info: have Administrator privileges itself.
*** Info: No privileged account could be found.
*** Info: This script plans to use 'cyg_server'.
*** Info: 'cyg_server' will only be used by registered services.
*** Query: Do you want to use a different name? (yes/no) no
*** Query: Create new privileged user account 'cyg_server'? (yes/no) yes
*** Info: Please enter a password for new user cyg_server. Please be sure
*** Info: that this password matches the password rules given on your system.
*** Info: Entering no password will exit the configuration.
*** Query: Please enter the password:
*** Query: Reenter:
*** Info: User 'cyg_server' has been created with password 'XXXXXXXXXX'.
*** Info: If you change the password, please remember also to change the
*** Info: password for the installed services which use (or will soon use)
*** Info: the 'cyg_server' account.
*** Info: Also keep in mind that the user 'cyg_server' needs read permissions
*** Info: on all users' relevant files for the services running as 'cyg_server'.
*** Info: In particular, for the sshd server all users' .ssh/authorized_keys
*** Info: files must have appropriate permissions to allow public key
*** Info: authentication. (Re-)running ssh-user-config for each user will set
*** Info: these permissions correctly. [Similar restrictions apply, for
*** Info: instance, for .rhosts files if the rshd server is running, etc].
*** Info: The sshd service has been installed under the 'cyg_server'
*** Info: account. To start the service now, call `net start sshd' or
*** Info: `cygrunsrv -S sshd'. Otherwise, it will start automatically
*** Info: after the next reboot.
*** Info: Host configuration finished. Have fun!
-----------------------------------------------------------
此外,“cyg_server”是一个可见的帐户,可用于 Windows 登录,但“sshd”似乎是隐藏的。所以我得出的结论是,我必须再添加第三个帐户才能正确使用 SSH,这似乎有点疯狂!
编辑-1:不仅如此,sshd帐户还设置了自安装之日起 40 天的密码到期日期,并且有一个密码(根据西米利都) (在 ssh 设置过程中,我从未被要求输入此帐户的密码。)
正在做:wmic useraccount get AccountType,...,Status:
AccountType Disabled Lockout Name PasswordChangeable PasswordExpires PasswordRequired Status
512 FALSE FALSE cyg_server TRUE FALSE TRUE OK
512 TRUE FALSE sshd TRUE TRUE TRUE Degraded
和net user sshd:
User name sshd
Full Name sshd privsep
Comment
User's comment
Country/region code 000 (System Default)
Account active No
Account expires Never
Password last set 2014-03-01 23:20:19
Password expires 2014-04-12 23:20:19
Password changeable 2014-03-01 23:20:19
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory C:\cygwin64\var\empty
Last logon Never
Logon hours allowed All
Local Group Memberships *Users
Global Group memberships *None
The command completed successfully.
因此这又引出了两个问题:
- 设置的密码是什么?为什么不通知用户?
- 这个密码为什么有有效期?
編輯-2:无法进入 Cygwin 开发人员列表,因此我不得不自己做进一步调查。到目前为止,我还没有找到问题 1 的答案,但用于设置的 ssh-host-config 脚本还存在其他几个问题。最重要的是,您可以随时删除 sshd 和 cyg_server 帐户,并使用它们的设置作为参考设置一个合适的管理员帐户。
问题2:Windows 8.1 默认密码有效期为 42 天。必须使用常规 Windows 工具(UI、WMIC、net user 等)更改或禁用该设置
答案1
2019 年更新:此答案和问题已过时。请参阅 Bill_Stewart 的回答。
从man 5 sshd_config
UsePrivilegeSeparation
Specifies whether sshd separates privileges by creating an
unprivileged child process to deal with incoming network traffic.
After successful authentication, another process will be created
that has the privilege of the authenticated user. The goal of
privilege separation is to prevent privilege escalation by con-
taining any corruption within the unprivileged processes. The
default is "yes".
所以 sshd 需要两种类型的账户:
- 有能力的人
setuid。 - 一个非特权帐户。
安装脚本解释说,通常的 SYSTEM 帐户没有setuid权限,因此需要额外的特权帐户。
答案2
至于为什么ssh-host-config要创建两个用户帐户,大部分答案都由 Dan 回答。有关为什么需要单独帐户的更多信息,setuid请参见这是一个复杂的过程。
至于您的第一个子问题,我相信它也是默认设置,例如密码过期 - 在/usr/share/csih/cygwin-service-installation-helperssh-host-config 中使用,用户是这样创建的(使用 Windows net 命令),其中${unpriv_user}是您选择的名称,例如 sshd,并且${dos_var_empty}是 Windows/DOS 样式的路径/var/empty:
net user "${unpriv_user}" /add /fullname:"${unpriv_user} privsep" \
"/homedir:${dos_var_empty}" /active:no
Microsoft 提供的文档表示/passwordreq,如果需要密码,则的默认值为是,并且似乎 Windows 会分配一些默认密码(可能是因为未指定密码,可能特别是因为/active:no)。
对于您的第二个子问题,就像您在第二次编辑中所说的那样,至少对于 Windows 8.1 Pro,默认设置似乎是密码在 42 天后过期,尽管我的帐户或新帐户肯定没有启用该设置cyg_server。这可能是因为相同的组合 -cyg_server指定密码并且处于活动状态,但 sshd 未指定密码并且处于非活动状态(也许这是为了在激活帐户时强制分配密码)。如果您想知道确切的详细信息,我可能会尝试创建更多类似的帐户,关闭过期时间/指定密码,然后看看会发生什么。
答案3
原始答案
Cygwin 中实际上不使用单独的禁用sshd帐户(只有一个例外;见下文)。我在 Cygwin 邮件列表中询问了这个问题:
sshd 禁用用户帐户是否仍然需要?
Corinna Vinschen (Cygwin 维护者) 的回应如下:
不,实际上并非如此。目前,sshd 服务器会检查是否应使用 privsep chrrot [sic] 环境,以及进程是否在“root:root”下启动。这在 Cygwin 下永远不会匹配,因此我们可以放弃 sshd 用户要求。
(看https://cygwin.com/ml/cygwin/2019-01/msg00120.html)
关于 sftp-only 的更新
上述说法是正确的,因为sshd帐户并非严格要求。唯一需要它的情况是,如果你想使用设置ChrootDirectory将sshd_config帐户限制为仅用于 SFTP。
值得一提的是,我创建了一个软件包,它提供了一个易于使用的安装程序,用于配置 Cygwin 版本的 OpenSSH(以及包括在内的一些其他工具rsync)。如果有人感兴趣,它可以在 GitHub 上找到:
https://github.com/Bill-Stewart/CygSSH
sshd包中的文档描述了帐户的使用情况。