Mail Archives: cygwin/2008/04/09/08:10:30
On Apr 8 10:12, Corinna Vinschen wrote:
> On Apr 8 01:21, Charles Wilson wrote:
> > Well, I'm waiting for answers to the questions here:
> > http://cygwin.com/ml/cygwin/2008-04/msg00211.html
> > from Corinna and Yaakov, but in the meantime:
> >
> > Here's a version of ssh-user-config that works with CVS csih (what will
> > become 0.1.4 very soon).
>
> Cool, thanks!
>
> I'll have a look,
> Corinna
Looks ok, but I have a few questions/comments.
- When the script starts, the following text appears:
*** Info: You appear to be running Windows 2003 Server or later. On 2003 and
*** Info: later systems, it's not possible to use the LocalSystem account
*** Info: for services that can change the user id without an explicit password
*** Info: (such as passwordless logins [e.g. public key authentication] via sshd).
*** Info: If you want to enable that functionality, it's required to create a new
*** Info: account with special privileges (unless a similar account already exists).
*** Info: This account is then used to run these special servers.
*** Info: Note that creating a new user requires that the current account have
*** Info: Administrator privileges itself.
*** Info: The following privileged accounts were found: 'cyg_server' .
*** Info: This script plans to use 'cyg_server'.
*** Info: 'cyg_server' will not be able to log on interactively, but will only
*** Info: be used by registered services.
*** Query: Do you want to use different name? (yes/no) no
The query "Do you want to use different name?" is a bit upside down,
IMHO. The query should be rather phrased positively "Do you want to use
t name?"
However, I think the whole message is too noisy and confusing for
non-admins. The default user doesn't actually know which user name the
sshd service is running under. Additionally, given that Cygwin opens
files always with BACKUP_INTENT for a while anyway, and given that the
service account is a member of the administrators group, which has
backup user rights, there's not much reason anymore to add the service
account to the ACL. I fear that's just old cruft in the ssh-user-script.
But, here's a question: Shouldn't the csih_privileged_accounts() function
check the service itself, rather than testing possible names with `net
user'? It would be as simple as giving csih_privileged_accounts the
service name as $1 argument, and then extract the user name with something
along the lines of
svc_user=$(regtool get '/HKLM/SYSTEM/CurrentControlSet/Services/$1/ObjectName')
svc_user="${svc_user/\.\\/$COMPUTERNAME}"
svc_user=$([ "$svc_user" = "LocalSystem" ] && echo "SYSTEM" || echo $(fgrep "${svc_user}" /etc/passwd | cut -d: -f 1))
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Red Hat
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
- Raw text -