This is the mail archive of the cygwin@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: cygwin on Windows 2003...


Hello,

Thank you very much for all your help. I really
appreciate that.

I found a workaround, by setting the StrictModes
setting in \etc\sshd_config to "No". As you said
earlier, new cygwin is more strict in terms of
permissions and ownership. 

So now, I have openssh 2.5.2p2 and cygwin 1.3.22 on
Windows 2003 box with sshd running as a service in
SYSTEM context with password less authentication and I
am able to connect to it over SSH.

Thanks.
-Prasad




--- Corinna Vinschen <corinna-cygwin@cygwin.com>
wrote:
> On Fri, Jul 11, 2003 at 04:32:43AM -0700, Prasad
> Dabak wrote:
> > 1. I am using openssh 2.5.2p2 and cygwin 1.3.1
> using
> > passwordless authentication with sshd running in
> > SYSTEM context. I have been using this combination
> for
> > years on Windows 2000 and it works fine.
> 
> Just as a side note:  2.5.2 has a bunch of known
> security issues.
> It's recommended to upgrade to 3.6.1.
> 
> > 2. I tried the same combination of Windows 2003.
> Here
> > the SSH connection gets established. I don't get
> any
> > permission denied errors. However, when I ssh to
> the
> > box it fails with the error.
> > 
> > c:\bin\bash.exe: *** Couldn't reserve space for
> > cygwin's heap (0x24B0000) in child, cygheap, Win32
> > error 0
> 
> It fails for me in a different way with Cygwin
> 1.5.0.  I checked
> that the "Create a token object" privilege is not in
> the access
> token given to a SYSTEM service.  Therefore I'm
> actually confused
> by this description.
> 
> > 3. I fixed the cygwin heap problem by putting the
> > cygwin1.dll from 1.3.22. After this, when I ssh to
> the
> > box, I get the "Permission denied
> > (publickey,password,keyboard-interactive)." error.
> 
> Yes, that's what should happen.  The weird thing is
> that I *tested*
> that it fails with 1.5.0 (which is not different
> from 1.3.22 in
> terms of setuid/setgid handling) due to the missing
> privilege.
> I don't see that the Windows privilge should be in
> any way depending
> on the Cygwin version.  The call to NtCreateToken()
> fails with error
> 1314, "A required privilege is not held by the
> client."
> 
> > 4. Next, if I run the "sshd.exe" by interactively
> > logging onto the system as Administrator, then, I
> am
> > able to SSH to the box without any problems.
> 
> As administrator I assume?  In that case it's not
> relevant since
> then the logon account is equal to the account
> running sshd.  Therefore
> no user context switch happens. 
> 
> If you didn't explicitely changed the user
> permissions of the 
> Administrator account to contain the "Create a token
> object"
> privilege, you will not be able to change the user
> context in
> this scenario.
> 
> > So, now, I have two questions
> > 
> > 1. If I upgrade to latest version of openssh, will
> > this solve my problem? Will I be able to run sshd
> as a
> > service running in SYSTEM context with password
> less
> > authentication and be able to establish ssh
> connection
> 
> Yes and no.  As far as my testing goes, I could
> establish a situation
> in which sshd (3.6.2p1) is running as service,
> allows passwordless
> user context switch and runs the shell nicely.  But
> it only works if
> you create a special account for this, which is
> member of the admins
> group and has the additional user privileges "Create
> a token object",
> "Replace a process level token" and "Logon as a
> service".  Probably
> it makes sense to remove other privileges from that
> account, e.g.
> the right to logon locally or so.
> 
> Caution:  Don't use the account name "sshd" for
> that.  The "sshd" 
> account should be a non-privileged account which is
> used by sshd
> when privilege separation (available since OpenSSH
> 3.4) is used. 
> That account will be created on demand when you
> start `ssh-host-config'
> of current Cygwin OpenSSH versions.
> 
> > 2. If I don't upgrade to latest version of
> openssh, is
> > there any way workaround to be able to run sshd as
> a
> > service in SYSTEM context with password less
> > authentication and be able to establish ssh
> connection
> 
> I don't recommend that due to security concerns.
> 
> Corinna
> 
> -- 
> Corinna Vinschen                  Please, send mails
> regarding Cygwin to
> Cygwin Developer                               
> mailto:cygwin@cygwin.com
> Red Hat, Inc.
> 
> --
> Unsubscribe info:     
> http://cygwin.com/ml/#unsubscribe-simple
> Problem reports:      
> http://cygwin.com/problems.html
> Documentation:         http://cygwin.com/docs.html
> FAQ:                   http://cygwin.com/faq/
> 


__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]