X-Spam-Check-By:	sourceware.org
To:	cygwin AT cygwin DOT com
From:	Brian Kasper <bkasper AT socal DOT rr DOT com>
Subject:	"/bin/bash: permission denied" on WinXP 2003 x64 solved (privilege problem)
Date:	Mon, 13 Aug 2007 02:51:19 -0700
Lines:	56
Message-ID:	<f9p9if$rqb$1@sea.gmane.org>
Mime-Version:	1.0
User-Agent:	Thunderbird 2.0.0.6 (Windows/20070728)
X-IsSubscribed:	yes
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com

I've been having a hard time getting sshd to accept logins on a Windows
XP 2003 x64 box.  The problems ranged from the error mentioned in the
subject line ("/bin/bash: permission denied" appearing during logins) to
silent failures during password authentication, during which the ssh
connection would simply be closed by the instance of Cygwin sshd running
on my machine.

I was seeing errors in the system event log, but unfortunately I'm not
very experienced with Windows security, so I wasn't understanding what I
was seeing.  Corinna Vinschen gave me a pointer about the SeTcbPrivilege
error I was seeing (thanks, Corinna!) which led me to investigate the
privileges that were being given to the sshd_server user.

As it turns out, all my problems were caused by the fact that the
sshd_server user being created by the ssh-host-config script was not
being given all the required privileges.  I'm not sure why, but I found
an online description of the rights required by sshd_server and used the
"editrights" utility to grant them.  I then deleted my ~/.ssh directory
(definitively to erase the known_hosts file), restarted sshd, and
everything began to work perfectly.

Unfortunately, I neglected to record which privileges had been granted
to the sshd_server user on my system before I started granting
additional ones, but as far as I remember sshd_server only had 2 or so
of the 8 privileges granted.

In case the information helps anyone else, here is a list of the
privileges that the sshd_server user appears to need:

SeIncreaseQuotaPrivilege
SeTcbPrivilege
SeAssignPrimaryTokenPrivilege
SeCreateTokenPrivilege
SeServiceLogonRight
SeDenyInteractiveLogonRight
SeDenyNetworkLogonRight
SeDenyRemoteInteractiveLogonRight

To determine which privileges sshd_server has on your system, use this
command:

editrights -u sshd_server -l

And here are the commands necessary to grant the above privileges to
sshd_server:

editrights -a SeTcbPrivilege -u sshd_server
editrights -a SeAssignPrimaryTokenPrivilege -u sshd_server
editrights -a SeCreateTokenPrivilege -u sshd_server
editrights -a SeDenyInteractiveLogonRight -u sshd_server
editrights -a SeDenyNetworkLogonRight -u sshd_server
editrights -a SeDenyRemoteInteractiveLogonRight -u sshd_server
editrights -a SeIncreaseQuotaPrivilege -u sshd_server
editrights -a SeServiceLogonRight -u sshd_server

-B


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

- Raw text -