| delorie.com/archives/browse.cgi | search |
| X-Spam-Check-By: | sourceware.org |
| From: | "Manel Rodero" <manel AT fib DOT upc DOT edu> |
| To: | <cygwin AT cygwin DOT com> |
| Subject: | Wich privileges required by ssh-host-config running user? |
| Date: | Wed, 18 Jan 2006 15:34:08 +0100 |
| Message-ID: | <005201c61c3c$3df63940$043a5393@fib.upc.es> |
| MIME-Version: | 1.0 |
| X-Scaned-FIB: | AntiVirus/AntiSpam en fib.upc.es |
| X-IsSubscribed: | yes |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| X-MIME-Autoconverted: | from quoted-printable to 8bit by delorie.com id k0IEYSYh019515 |
Hello,
I've been deploying SSH to a lot of Windows Servers (2000 & 2003)
successfully. I've created an unnatended installation of cygwin and some
scripts to run ssh-host-config and create the correct authorized_keys file
in the local user we need to use public key authentication.
But, I have 4 servers where the script ssh-host-config fails because it
can't chown /etc/ssh* files to SYSTEM. See this output:
---- snip ----
$ ssh-host-config -y -c "binmode tty ntsec" -w "SKkO5i37TUQXoBBtt24EZwMN6s"
Generating /etc/ssh_host_key
Generating /etc/ssh_host_rsa_key
Generating /etc/ssh_host_dsa_key
Generating /etc/ssh_config file
Privilege separation is set to yes by default since OpenSSH 3.3.
However, this requires a non-privileged account called 'sshd'.
For more info on privilege separation read
/usr/share/doc/openssh/README.privsep
.
Should privilege separation be used? (yes/no) yes
Warning: The following function requires administrator privileges!
Should this script create a local user 'sshd' on this machine? (yes/no) yes
Generating /etc/sshd_config file
Warning: The following functions require administrator privileges!
Do you want to install sshd as service?
(Say "no" if it's already installed as service) (yes/no) yes
The service has been installed under LocalSystem account.
To start the service, call `net start sshd' or `cygrunsrv -S sshd'.
chown: changing ownership of `/etc/ssh_config': Permission denied
chown: changing ownership of `/etc/ssh_host_dsa_key': Permission denied
chown: changing ownership of `/etc/ssh_host_dsa_key.pub': Permission denied
chown: changing ownership of `/etc/ssh_host_key': Permission denied
chown: changing ownership of `/etc/ssh_host_key.pub': Permission denied
chown: changing ownership of `/etc/ssh_host_rsa_key': Permission denied
chown: changing ownership of `/etc/ssh_host_rsa_key.pub': Permission denied
chown: changing ownership of `/etc/sshd_config': Permission denied
chown: changing ownership of `/var/empty': Permission denied
Host configuration finished. Have fun!
---- snip ----
The files have these permissions:
Administrator AT server ~
$ ls -l /etc/ssh*
-rwxr-xr-x 1 Administrator None 1292 Jan 18 13:44 /etc/ssh_config
-rw------- 1 Administrator None 1192 Jan 18 13:44 /etc/ssh_host_dsa_key
-rw-r--r-- 1 Administrator None 1121 Jan 18 13:44 /etc/ssh_host_dsa_key.pub
-rw------- 1 Administrator None 982 Jan 18 13:43 /etc/ssh_host_key
-rw-r--r-- 1 Administrator None 646 Jan 18 13:43 /etc/ssh_host_key.pub
-rw------- 1 Administrator None 1675 Jan 18 13:43 /etc/ssh_host_rsa_key
-rw-r--r-- 1 Administrator None 401 Jan 18 13:43 /etc/ssh_host_rsa_key.pub
-rw-r--r-- 1 Administrator None 2830 Jan 18 13:44 /etc/sshd_config
Administrator AT server ~
$ ls -l /var
total 0
drwxrwxrwx+ 3 Administrator Users 0 Jan 18 13:39 cache
drwxr-xr-x+ 2 Administrator None 0 Jan 18 13:43 empty
drwxrwxrwx+ 3 Administrator Users 0 Jan 18 13:39 lib
drwxrwxrwx+ 2 Administrator Users 0 Jan 18 13:43 log
drwxrwxrwx+ 2 Administrator Users 0 Jan 18 13:39 run
drwxrwxrwx+ 2 Administrator Users 0 Jan 18 13:39 tmp
In all servers I'm using the "Administrator" account. The only difference
between these 4 servers is that 2 of them are Domain Controllers and the
other 2 are members of this domain. In the servers where the ssh-host-config
script works perfectly all of them are standalone servers.
So the question is: Why the Administrator can't change/chown the owner of
the /etc/ssh* files to SYSTEM?
Thank you very much!
--
o o o Manel Rodero | LCFIB - UPC
o o o Helpdesk Manager | Campus Nord - Modul B6
o o o Laboratori de Calcul | Jordi Girona, 1-3
U P C Facultat Informatica Barcelona | 08034 Barcelona (Spain)
|
manel AT fib DOT upc DOT edu | Tel: +00 34 93 401 6940
http://www.fib.upc.edu/~manel | Fax: +00 34 93 401 7040
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |