Mail Archives: cygwin/2003/07/11/08:26:21
Hello,
Thank you very much for all your help. I really
appreciate that.
I found a workaround, by setting the StrictModes
setting in \etc\sshd_config to "No". As you said
earlier, new cygwin is more strict in terms of
permissions and ownership.
So now, I have openssh 2.5.2p2 and cygwin 1.3.22 on
Windows 2003 box with sshd running as a service in
SYSTEM context with password less authentication and I
am able to connect to it over SSH.
Thanks.
-Prasad
--- Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
wrote:
> On Fri, Jul 11, 2003 at 04:32:43AM -0700, Prasad
> Dabak wrote:
> > 1. I am using openssh 2.5.2p2 and cygwin 1.3.1
> using
> > passwordless authentication with sshd running in
> > SYSTEM context. I have been using this combination
> for
> > years on Windows 2000 and it works fine.
>
> Just as a side note: 2.5.2 has a bunch of known
> security issues.
> It's recommended to upgrade to 3.6.1.
>
> > 2. I tried the same combination of Windows 2003.
> Here
> > the SSH connection gets established. I don't get
> any
> > permission denied errors. However, when I ssh to
> the
> > box it fails with the error.
> >
> > c:\bin\bash.exe: *** Couldn't reserve space for
> > cygwin's heap (0x24B0000) in child, cygheap, Win32
> > error 0
>
> It fails for me in a different way with Cygwin
> 1.5.0. I checked
> that the "Create a token object" privilege is not in
> the access
> token given to a SYSTEM service. Therefore I'm
> actually confused
> by this description.
>
> > 3. I fixed the cygwin heap problem by putting the
> > cygwin1.dll from 1.3.22. After this, when I ssh to
> the
> > box, I get the "Permission denied
> > (publickey,password,keyboard-interactive)." error.
>
> Yes, that's what should happen. The weird thing is
> that I *tested*
> that it fails with 1.5.0 (which is not different
> from 1.3.22 in
> terms of setuid/setgid handling) due to the missing
> privilege.
> I don't see that the Windows privilge should be in
> any way depending
> on the Cygwin version. The call to NtCreateToken()
> fails with error
> 1314, "A required privilege is not held by the
> client."
>
> > 4. Next, if I run the "sshd.exe" by interactively
> > logging onto the system as Administrator, then, I
> am
> > able to SSH to the box without any problems.
>
> As administrator I assume? In that case it's not
> relevant since
> then the logon account is equal to the account
> running sshd. Therefore
> no user context switch happens.
>
> If you didn't explicitely changed the user
> permissions of the
> Administrator account to contain the "Create a token
> object"
> privilege, you will not be able to change the user
> context in
> this scenario.
>
> > So, now, I have two questions
> >
> > 1. If I upgrade to latest version of openssh, will
> > this solve my problem? Will I be able to run sshd
> as a
> > service running in SYSTEM context with password
> less
> > authentication and be able to establish ssh
> connection
>
> Yes and no. As far as my testing goes, I could
> establish a situation
> in which sshd (3.6.2p1) is running as service,
> allows passwordless
> user context switch and runs the shell nicely. But
> it only works if
> you create a special account for this, which is
> member of the admins
> group and has the additional user privileges "Create
> a token object",
> "Replace a process level token" and "Logon as a
> service". Probably
> it makes sense to remove other privileges from that
> account, e.g.
> the right to logon locally or so.
>
> Caution: Don't use the account name "sshd" for
> that. The "sshd"
> account should be a non-privileged account which is
> used by sshd
> when privilege separation (available since OpenSSH
> 3.4) is used.
> That account will be created on demand when you
> start `ssh-host-config'
> of current Cygwin OpenSSH versions.
>
> > 2. If I don't upgrade to latest version of
> openssh, is
> > there any way workaround to be able to run sshd as
> a
> > service in SYSTEM context with password less
> > authentication and be able to establish ssh
> connection
>
> I don't recommend that due to security concerns.
>
> Corinna
>
> --
> Corinna Vinschen Please, send mails
> regarding Cygwin to
> Cygwin Developer
> mailto:cygwin AT cygwin DOT com
> Red Hat, Inc.
>
> --
> Unsubscribe info:
> http://cygwin.com/ml/#unsubscribe-simple
> Problem reports:
> http://cygwin.com/problems.html
> Documentation: http://cygwin.com/docs.html
> FAQ: http://cygwin.com/faq/
>
__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
- Raw text -