Mail Archives: cygwin/2006/05/10/22:37:41
Larry Hall (Cygwin) wrote:
> Andrew DeFaria wrote:
>> Larry Hall (Cygwin) wrote:
>>> Andrew DeFaria wrote:
>>>> I'm trying to set up ssh access to a Windows 2003 server. I am
>>>> having a problem in that when I ssh to this server it immediately
>>>> exits and I find the following in /var/log/sshd.log:
>>>>
>>>> 5 [main] sshd 12912 C:\Cygwin\usr\sbin\sshd.exe: *** fatal
>>>> error - could not load ws2_32, Win32 error 0
>>>>
>>>> Forgive me I did do some research about setting up ssh on a 2003
>>>> server and I believe I've very close to having it set up correctly
>>>> but I'm still missing something. I created a local sshd_server user
>>>> and added things like "Act as part of the operating system",
>>>> "Replace process level token", etc. I did not see a setting for
>>>> "Increase quota". Note that I am using a local sshd_server users
>>>> (i.e. <machine>\sshd_server) as the logon for the sshd service. I
>>>> don't believe I'm using privilege separation.
>>>>
>>>> I had to use mmc and a Group Policy editor for the domain to add
>>>> this local user into the rights at the domain level before this
>>>> would work. Still when I try to ssh in I get a password prompt but
>>>> after that the above gets written into the sshd.log and the prompt
>>>> returns.
>>>>
>>>> Note that I also use this local sshd_server user for inetd so that
>>>> rsh can and does work. Insecure I know and I'd like to switch this
>>>> client over to using all ssh but I gotta get it working for them.
>>>>
>>>> Thanks in advance.
>>> Why not use ssh-host-config to set up sshd? It will create
>>> sshd_server for you in the proper way.
>> I did! sshd_server would not have been my choice of a username had I
>> done this by hand (the user daemon comes to mind). However that was
>> not working. This is a domain environment so the sshd_server user
>> could be <domain>\sshd_server or <local machine>\sshd_server. I don't
>> think I have enough privilege to add a domain user so I made it a
>> local user.
>>
>> Plus I believe that domain policies did not allow me to modify the
>> user rights of this local user. (From memory) I believe I went into
>> mmc and added the Group Policy Editor snapin then attempted to add
>> the local sshd_server to the users that have say "Act as part of the
>> operating system" rights but the add button was grayed out. Last
>> night while trying again I noticed I could add Domain Group Policy
>> snapin and much to my surprise I was able to add the <local
>> server>\sshd_server user to the "Act as part of operating system" and
>> "replace process level token" lists. Again I didn't see an "Increase
>> quota". This got inetd and rsh working but ssh still produces an error.
>>
>> Actually, assuming I can create say a domain "daemon" user for use
>> with sshd and inetd, etc., would it be better to do this at the
>> domain level. I would like to allow others in the domain to set up
>> ssh or inetd with the rights to SU...
> No tweaking of the permissions for sshd_server is necessary and it's
> not required to add sshd_server to any other users to get things to
> work. sshd_server is a local user created to run the service and
> nothing else. To login via 'ssh' with a domain user, just make sure
> the domain user is in your '/etc/passwd' file and your '/etc/group'
> file contains the proper
> domain groups. See 'man mkpasswd' and 'man mkgroup' if these users
> and groups are not already in these files.
/etc/passwd and /etc/group are symlinks to a shared and up to date copy
of the output of mkpasswd/mkgroup. That's not the issue. As I understand
it, for sshd (or in.rlogind) to "switch user" it needs special
privileges. Indeed the documentation alludes to that. And until I added
those permissions to the sshd_server user ssh/rsh would not work at all.
(rsh, started from inetd that is as inetd was also logging on as the
sshd_server user). Still, while rsh works, ssh refuses to work citing
the error message above in /var/log/sshd.log. IOW I can rsh <server> and
get in. I can also rsh <server> <command> and have <command> run on
<server> (provided /etc/passwd on <server> has a blank password for the
user). However I cannot ssh <server>. When I do so it prompts for the
password then abruptly logs out with the only clue left in
<server>:/var/log/sshd.log.
--
A shark is the only fish that can blink with both eyes.
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
- Raw text -