This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: ssh-host-setup is adding user to Deny Terminal Services login


On Dec 16 10:00, Paul Keeble wrote:
> > The script denies access to the user running the service, not the user
> > running ssh-host-config.  Hopefully you don't use the service starter
> > account for normal logon purposes.
> 
> Alas I don't know of any other way to get what I need done. In order
> to support an automated system login we use an SSH key based login
> rather than passwords. This unfortunately means that there is no
> "real" login, the user does not have access to the network drives and
> that is kind of essential for what we are doing. The only workaround I
> have found is to have privelege separation off and have the sshd
> service be the same user as the login. That way the priveleges are
> passed to the logged in shell and it works. The only time the password
> is necessary is when the install is done or the password is changed.
> The remaining problem is terminal services being disabled, which
> although undoable is a bit of a pain to do across hundreds of
> machines.

This is a non-default scenario which isn't supported by ssh-host-config.

> If there is another way to get key based logins and network access
> (real logins) working then that would be great to know about.

Not in Cygwin 1.5.x.  In Cygwin 1.7, yes.
See http://cygwin.com/1.7/cygwin-ug-net/ntsec.html#ntsec-setuid-overview

> Otherwise a way to workaround to stop ssh-host-config from disabling
> terminal services for that user would also be useful.

Just remove the offending line from the csih helper script
/usr/share/csih/cygwin-service-installation-helper.sh

  editrights -a SeDenyRemoteInteractiveLogonRight -u ${username} &&

Maybe we should remove this in the distro as well, but we're trying to
make it safe.  Using this account is quite dangerous, as you should
know.  It has been given very serious privileges by the ssh-host-config
script.  In your scenario, where you run sshd using the same account
which you're logging in to, you should install the service manually
without ssh-host-config.  Otherwise your logon account is practically
allmighty.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]