This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: sshd [5.1p1] fails on seteuid "permission denied"


"J.D. Baldwin" wrote:

> I can invoke /usr/sbin/sshd but not log in via same.  I have tried it

Stop right there.  Running sshd directly from your user account -- even
if you are an Administrator -- is incorrect and wrong.  It won't work,
and worse, it will cause the permissions of the dirs and files that sshd
creates to be incorrect when you try to run it properly as a service.

In order to perform the impersonation, i.e. seteuid, the account that
runs sshd must have the following privileges:

SeAssignPrimaryTokenPrivilege
SeCreateTokenPrivilege
SeTcbPrivilege
SeIncreaseQuotaPrivilege
SeServiceLogonRight

These are not privileges that normal user accounts (even Administrators)
possess, so don't try running sshd as a normal user.  It must be run
from a special account.

Under XP, the default LocalSystem account does have everything required
and should work fine.  Under later versions of windows LocalService has
fewer privileges and thus a dedicated ssh_server account must be created
and granted the required rights.  All of these details are handled by
ssh-host-config, so you don't really need to care.  All you need to know
is that you can't run sshd yourself.  But since you have done that the
ownership of e.g. the log file, /var/empty, host keys, etc. are all
wrong and the service will likely refuse to start.

So.  Delete everything you've done:

$ cygrunsrv --remove sshd
$ rm -rf /var/log/sshd* /etc/ssh_host* /etc/sshd_config /var/empty

Now run just "ssh-host-config -y", followed by "cygrunsrv --start
sshd".  Everything should work fine.  If it does not, send the contents
of /var/log/sshd.log as well as all the entries in the Windows Event Log
from sshd.

Also, consider creating a proper group file with mkgroup -l -d or
similar.

Brian

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]