Mail Archives: cygwin/2003/09/18/10:26:41
Hi All...
Quite a while ago (12 to 18 months?) before Cygwin OpenSSH could impersonate
a user, there was some experimental activity in OpenSSH to allow multiple
authentication methods. There was a patch to add this on the OpenSSH
archives.
I experimented with this to require public key followed by password
authentication. This got me the security of a public key authentication and
also got me a password to change user ID. When Cygwin added the impersonate
user ability, I dropped this activity.
...Karl
>From: Olivier ALLART <olivier DOT allart AT speeq DOT com>
>To: Cygwin List <cygwin AT cygwin DOT com>
>Subject: Re: SSHD, Cygwin and Windows 2003 : continued with user rights
>Date: Thu, 18 Sep 2003 01:22:48 +0200
>
>Larry Hall wrote:
>
>>Hm, I thought I was clear. Let me try again addressing iisreset
>>specifically.
>>
>>iisreset doesn't work in the scenario you described because it's a
>>Microsoft tool which knows nothing of the Cygwin environment. Cygwin's
>>ssh using pubkey authentication doesn't authenticate the user with
>>Windows. So if
>>you need certain credentials to perform some operation in Windows, pubkey
>>authentication won't provide them.
>>
>Ok. I tought ssh offered some mechanism trough cygwin to authenticate as if
>under windows ..
>That means the 'administrator' account via ssh pubkey is not
>'administrator' then ..
>
>>If you need to run iisreset through ssh,
>>you will need to use password authentication, which takes the password for
>>the user 'administrator' and authenticates for Windows with it. You
>>should
>>then be able to use iisreset (if authentication is really the only thing
>>getting in the way with pubkey).
>>
>yes it is, since it is working with ssh connection (using password on
>login) when sshd runs under 'local system'
>
>>I don't know what are the "*some commands*" you're speaking of, but if
>>they are Cygwin utilities, then I think the answer is obvious. If they
>>are not Cygwin utilities, then I would have to say that they don't require
>>special privileges to run. This is actually true for most utilities. But
>>if this is still confusing for you, you'll have to provide specifics.
>>However, I think you'll find that it's likely that anything that works for
>>you in ssh using pubkey authentication falls into one of the two groups of
>>utilities I mentioned.
>>
>and you are probably right.
>other commands are for example 'wlbs' (or nlb).
>My problem is : I want to execute some remote (but encrypted) commands
>using both wlbs and iisreset.
>wlbs works fine from remote, but so is not for IISreset.
>I thought authentication using ssh and public key would allow me to perform
>the iisreset command..
>But from what you explained; it is clear that whatever user logs in with
>pubkey, it won't be considered as 'administrator'
>It looks like iisreset can only be performed *locally* by *local
>administrator*, which is dumb in the situation where you are from remote.
>Only other remote control would be 'telnet' but hey, ms telnet can't
>pertform remote commands.
>
>Last question; if I provided a pubkey in the 'administrator' (cygwin)
>environment, who am I for windows ?
>
>Thank you very much.
>Next I guess I'll go look for some tip on how to unlock iisreset so it can
>be used by whatever admin and not just local ..
>
>>
>>HTH,
>>
>>Larry
>>
>>
>>At 02:56 PM 9/17/2003, Olivier ALLART you wrote:
>>
>>
>>
>>>Thank you for the details, but then, why *some commands* work and not
>>>others ?
>>>And more specifically, how can I make *this command* work ?
>>>
>>>
>>>Larry Hall wrote:
>>>
>>>
>>>
>>>>I think you missed the fact that pubkey authentication does
>>>>impersonation,
>>>>not Windows-style authentication. So Windows apps won't recognize the
>>>>pubkey
>>>>authentication as providing permissions to run restricted programs.
>>>>You'll
>>>>have to use password authentication if you want Windows to recognize the
>>>>user you've become via ssh. You can find all sorts of discussion on the
>>>>difference between pubkey and password authentication for ssh in the
>>>>email archives if you're interested.
>>>>
>>>>
>>>>
>>>At 12:40 PM 9/17/2003, Olivier ALLART you wrote:
>>>
>>>
>>>
>>>>Following Mark J de Jong 's step by step howto (see end of mail for some
>>>>add-ons), I can now effectively log in with pkey method (that is, no
>>>>password) using the 'administrator' user name.
>>>>'whoami' returns 'administrator', however asking for a command such as
>>>>IISRESET returns the error 'you are not a local administrator of this
>>>>machine...', which means the rights management has failed somewhere.
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>
>>>>--
>>>>Larry Hall http://www.rfk.com
>>>>RFK Partners, Inc. (508) 893-9779 - RFK Office
>>>>838 Washington Street (508) 893-9889 - FAX
>>>>Holliston, MA 01746
>>>>
>>>>
>>>>.
>>>>
>>>>
>>>>
>>>>
>>>
>>>--
>>>Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
>>>Problem reports: http://cygwin.com/problems.html
>>>Documentation: http://cygwin.com/docs.html
>>>FAQ: http://cygwin.com/faq/
>>>
>>>
>>
>>
>>--
>>Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
>>Problem reports: http://cygwin.com/problems.html
>>Documentation: http://cygwin.com/docs.html
>>FAQ: http://cygwin.com/faq/
>>
>>
>>.
>>
>>
>>
>
>
>
>--
>Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
>Problem reports: http://cygwin.com/problems.html
>Documentation: http://cygwin.com/docs.html
>FAQ: http://cygwin.com/faq/
>
_________________________________________________________________
Get a FREE computer virus scan online from McAfee.
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
- Raw text -