delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin/2008/12/16/08:05:54

X-Recipient: archive-cygwin AT delorie DOT com
X-Spam-Check-By: sourceware.org
Date: Tue, 16 Dec 2008 11:18:06 +0100
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: ssh-host-setup is adding user to Deny Terminal Services login
Message-ID: <20081216101806.GC15438@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <914651 DOT 63291 DOT qm AT web25501 DOT mail DOT ukl DOT yahoo DOT com>
MIME-Version: 1.0
In-Reply-To: <914651.63291.qm@web25501.mail.ukl.yahoo.com>
User-Agent: Mutt/1.5.16 (2007-06-09)
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com 

On Dec 16 10:00, Paul Keeble wrote:
> > The script denies access to the user running the service, not the user
> > running ssh-host-config.  Hopefully you don't use the service starter
> > account for normal logon purposes.
> 
> Alas I don't know of any other way to get what I need done. In order
> to support an automated system login we use an SSH key based login
> rather than passwords. This unfortunately means that there is no
> "real" login, the user does not have access to the network drives and
> that is kind of essential for what we are doing. The only workaround I
> have found is to have privelege separation off and have the sshd
> service be the same user as the login. That way the priveleges are
> passed to the logged in shell and it works. The only time the password
> is necessary is when the install is done or the password is changed.
> The remaining problem is terminal services being disabled, which
> although undoable is a bit of a pain to do across hundreds of
> machines.

This is a non-default scenario which isn't supported by ssh-host-config.

> If there is another way to get key based logins and network access
> (real logins) working then that would be great to know about.

Not in Cygwin 1.5.x.  In Cygwin 1.7, yes.
See http://cygwin.com/1.7/cygwin-ug-net/ntsec.html#ntsec-setuid-overview

> Otherwise a way to workaround to stop ssh-host-config from disabling
> terminal services for that user would also be useful.

Just remove the offending line from the csih helper script
/usr/share/csih/cygwin-service-installation-helper.sh

  editrights -a SeDenyRemoteInteractiveLogonRight -u ${username} &&

Maybe we should remove this in the distro as well, but we're trying to
make it safe.  Using this account is quite dangerous, as you should
know.  It has been given very serious privileges by the ssh-host-config
script.  In your scenario, where you run sshd using the same account
which you're logging in to, you should install the service manually
without ssh-host-config.  Otherwise your logon account is practically
allmighty.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019