Mail Archives: cygwin/2007/08/13/06:02:37
I've been having a hard time getting sshd to accept logins on a Windows
XP 2003 x64 box. The problems ranged from the error mentioned in the
subject line ("/bin/bash: permission denied" appearing during logins) to
silent failures during password authentication, during which the ssh
connection would simply be closed by the instance of Cygwin sshd running
on my machine.
I was seeing errors in the system event log, but unfortunately I'm not
very experienced with Windows security, so I wasn't understanding what I
was seeing. Corinna Vinschen gave me a pointer about the SeTcbPrivilege
error I was seeing (thanks, Corinna!) which led me to investigate the
privileges that were being given to the sshd_server user.
As it turns out, all my problems were caused by the fact that the
sshd_server user being created by the ssh-host-config script was not
being given all the required privileges. I'm not sure why, but I found
an online description of the rights required by sshd_server and used the
"editrights" utility to grant them. I then deleted my ~/.ssh directory
(definitively to erase the known_hosts file), restarted sshd, and
everything began to work perfectly.
Unfortunately, I neglected to record which privileges had been granted
to the sshd_server user on my system before I started granting
additional ones, but as far as I remember sshd_server only had 2 or so
of the 8 privileges granted.
In case the information helps anyone else, here is a list of the
privileges that the sshd_server user appears to need:
SeIncreaseQuotaPrivilege
SeTcbPrivilege
SeAssignPrimaryTokenPrivilege
SeCreateTokenPrivilege
SeServiceLogonRight
SeDenyInteractiveLogonRight
SeDenyNetworkLogonRight
SeDenyRemoteInteractiveLogonRight
To determine which privileges sshd_server has on your system, use this
command:
editrights -u sshd_server -l
And here are the commands necessary to grant the above privileges to
sshd_server:
editrights -a SeTcbPrivilege -u sshd_server
editrights -a SeAssignPrimaryTokenPrivilege -u sshd_server
editrights -a SeCreateTokenPrivilege -u sshd_server
editrights -a SeDenyInteractiveLogonRight -u sshd_server
editrights -a SeDenyNetworkLogonRight -u sshd_server
editrights -a SeDenyRemoteInteractiveLogonRight -u sshd_server
editrights -a SeIncreaseQuotaPrivilege -u sshd_server
editrights -a SeServiceLogonRight -u sshd_server
-B
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
- Raw text -