Mail Archives: cygwin/2006/05/12/22:22:22
Andrew DeFaria wrote:
> Larry Hall (Cygwin) wrote:
>> Andrew DeFaria wrote:
>>> Larry Hall (Cygwin) wrote:
>>>> Andrew DeFaria wrote:
>>>>> I'm trying to set up ssh access to a Windows 2003 server. I am
>>>>> having a problem in that when I ssh to this server it immediately
>>>>> exits and I find the following in /var/log/sshd.log:
>>>>>
>>>>> 5 [main] sshd 12912 C:\Cygwin\usr\sbin\sshd.exe: *** fatal
>>>>> error - could not load ws2_32, Win32 error 0
>>>>>
>>>>> Forgive me I did do some research about setting up ssh on a 2003
>>>>> server and I believe I've very close to having it set up correctly
>>>>> but I'm still missing something. I created a local sshd_server user
>>>>> and added things like "Act as part of the operating system",
>>>>> "Replace process level token", etc. I did not see a setting for
>>>>> "Increase quota". Note that I am using a local sshd_server users
>>>>> (i.e. <machine>\sshd_server) as the logon for the sshd service. I
>>>>> don't believe I'm using privilege separation.
>>>>>
>>>>> I had to use mmc and a Group Policy editor for the domain to add
>>>>> this local user into the rights at the domain level before this
>>>>> would work. Still when I try to ssh in I get a password prompt but
>>>>> after that the above gets written into the sshd.log and the prompt
>>>>> returns.
>>>>>
>>>>> Note that I also use this local sshd_server user for inetd so that
>>>>> rsh can and does work. Insecure I know and I'd like to switch this
>>>>> client over to using all ssh but I gotta get it working for them.
>>>>>
>>>>> Thanks in advance.
>>>> Why not use ssh-host-config to set up sshd? It will create
>>>> sshd_server for you in the proper way.
>>> I did! sshd_server would not have been my choice of a username had I
>>> done this by hand (the user daemon comes to mind). However that was
>>> not working. This is a domain environment so the sshd_server user
>>> could be <domain>\sshd_server or <local machine>\sshd_server. I don't
>>> think I have enough privilege to add a domain user so I made it a
>>> local user.
>>>
>>> Plus I believe that domain policies did not allow me to modify the
>>> user rights of this local user. (From memory) I believe I went into
>>> mmc and added the Group Policy Editor snapin then attempted to add
>>> the local sshd_server to the users that have say "Act as part of the
>>> operating system" rights but the add button was grayed out. Last
>>> night while trying again I noticed I could add Domain Group Policy
>>> snapin and much to my surprise I was able to add the <local
>>> server>\sshd_server user to the "Act as part of operating system" and
>>> "replace process level token" lists. Again I didn't see an "Increase
>>> quota". This got inetd and rsh working but ssh still produces an error.
>>>
>>> Actually, assuming I can create say a domain "daemon" user for use
>>> with sshd and inetd, etc., would it be better to do this at the
>>> domain level. I would like to allow others in the domain to set up
>>> ssh or inetd with the rights to SU...
>> No tweaking of the permissions for sshd_server is necessary and it's
>> not required to add sshd_server to any other users to get things to
>> work. sshd_server is a local user created to run the service and
>> nothing else. To login via 'ssh' with a domain user, just make sure
>> the domain user is in your '/etc/passwd' file and your '/etc/group'
>> file contains the proper
>> domain groups. See 'man mkpasswd' and 'man mkgroup' if these users
>> and groups are not already in these files.
> /etc/passwd and /etc/group are symlinks to a shared and up to date copy
> of the output of mkpasswd/mkgroup. That's not the issue. As I understand
> it, for sshd (or in.rlogind) to "switch user" it needs special
> privileges. Indeed the documentation alludes to that. And until I added
> those permissions to the sshd_server user ssh/rsh would not work at all.
But if you ran /bin/ssh-host-config and told it to create sshd_server when
it asked you to, it will add these rights automatically. There's no need
to do it yourself. Just take a look at /bin/ssh-host-config. The calls
to "editrights" in the section that handles the creation of the sshd_server
user/group specifically adds the privileges that are necessary to switch
the user context on W2K3. If it failed to set these permission you should
have been warned.
> (rsh, started from inetd that is as inetd was also logging on as the
> sshd_server user). Still, while rsh works, ssh refuses to work citing
> the error message above in /var/log/sshd.log. IOW I can rsh <server> and
> get in. I can also rsh <server> <command> and have <command> run on
> <server> (provided /etc/passwd on <server> has a blank password for the
> user). However I cannot ssh <server>. When I do so it prompts for the
> password then abruptly logs out with the only clue left in
> <server>:/var/log/sshd.log.
Well you can always run the client and the server in debug mode and track
each one's progress. The server is always a little more helpful. But if
you can't figure out anything else, I'd go back and retry running
/bin/ssh-host-config after deleting the sshd_server user/group. Pay close
attention to what it says concerning sshd_server.
--
Larry Hall http://www.rfk.com
RFK Partners, Inc. (508) 893-9779 - RFK Office
838 Washington Street (508) 893-9889 - FAX
Holliston, MA 01746
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
- Raw text -