Why does ssh-host-config create two users in Cygwin on Windows 8.1?

Solution 1:

Update 2019: This answer and question is obsolete. See Bill_Stewart's answer.

From man 5 sshd_config

     Specifies whether sshd separates privileges by creating an
     unprivileged child process to deal with incoming network traffic.
     After successful authentication, another process will be created
     that has the privilege of the authenticated user.  The goal of
     privilege separation is to prevent privilege escalation by con-
     taining any corruption within the unprivileged processes.  The
     default is "yes".

So sshd requires two types of accounts:

  1. One with the ability to setuid.
  2. One unprivileged account.

The setup script explains that the usual SYSTEM account doesn't have setuid privilege, thus the need for the additional privileged account.

Solution 2:

As for why ssh-host-config creates two user accounts is mostly answered by Dan. More on why a separate account is needed to setuid can be found here, it's a complicated process.

As for your first sub-question, I believe it's defaults, too, like the password expiry - in /usr/share/csih/cygwin-service-installation-helper, used by ssh-host-config, the user is created (using the Windows net command) like this, where ${unpriv_user} is the name, like sshd, you selected, and ${dos_var_empty} is the Windows/DOS style path to /var/empty:

net user "${unpriv_user}" /add /fullname:"${unpriv_user} privsep" \
"/homedir:${dos_var_empty}" /active:no

The documentation by Microsoft says that the default value for /passwordreq, if a password is required, is yes, and it seems that Windows then assigns some default password (probably because a password isn't specified, maybe in particular because /active:no).

And for your second sub-question, like you said in your second edit, the default, at least for Windows 8.1 Pro, seems to be a password expiry after 42 days, although it's certainly not enabled on my account OR the new cyg_server account. This is probably because of the same combination - cyg_server specifies a password and is active, but sshd doesn't specify a password and isn't active (perhaps this is to force a password being assigned if/when the account is activated). If you want to know the exact details, I'd probably try creating more similar accounts with the expiry off/specifying the password and seeing what happens.