Mail Archives: cygwin/2010/01/24/19:44:17
On 01/08/2010 06:59 AM, Corinna Vinschen wrote:
> I can't reproduce this one, but I can reproduce the other problem
> with pubkey authentication reported in this thread:
...
I appreciate the time you took to explain this problem. I've been
working on it for a while, and still can't get it right.
> If you're running in a domain, then the account running the sshd service
> must be a member of the domain as well. Instead of creating a local
> cyg_server account, you must create a domain account called cyg_server
> with the specific rights required to create a user token, add it to the
> /etc/passwd file of the machine on which you want to install sshd, and
> *then* run ssh-host-config on that machine.
I've created a "cyg_server" account on my domain controller and added it
to the password file using:
mkpasswd -d -u cyg_server >> /etc/passwd
First I tried granting the required permissions manually in the domain
policy. When that didn't work, I used "editrights" as in
cygwin-service-installation-helper.sh to set the rights in the local
policy. As far as I can tell, I get identical results.
Rights during my most recent test were:
$ editrights.exe -l -u cyg_server
SeAssignPrimaryTokenPrivilege
SeCreateTokenPrivilege
SeTcbPrivilege
SeServiceLogonRight
SeDenyRemoteInteractiveLogonRight
> If you did that, the ssh-host-config script will note that such an
> account exists in /etc/passwd and will offer to use that account for the
> sshd service.
Hopefully I did something as simple as adding the account to the
password file incorrectly. When I run ssh-host-config, I get the
following warning:
*** Warning: cyg_server is in /etc/passwd, but the local
*** Warning: machine's SAM does not know about cyg_server.
*** Warning: Perhaps cyg_server is a pre-existing domain account.
*** Warning: Continuing, but check if this is ok.
Regardless, I can use the account and sshd will run. When I log in with
a password, I get a shell, but I see this warning:
1 [main] sshd 2724 spawn_guts: CreateWindowStation failed, Win32 error 5
If I log in with a key, the server just drops the connection. The
(Linux) client reports:
Connection closed by 192.168.99.6
The server's event log indicates:
The description for Event ID ( 0 ) in Source ( sshd ) cannot be found.
The local computer may not have the necessary registry information or
message DLL files to display messages from a remote computer. You may be
able to use the /AUXSOURCE= flag to retrieve this description; see Help
and Support for details. The following information is part of the event:
sshd: PID 6632: fatal: seteuid 11287: Permission denied.
The event viewer indicates that the user is DOMAIN\cyg_server, which is
the same username that appears in the Local Security Settings admin tool.
Does anyone have any specific advice for using a domain member account
(DOMAIN\cyg_server) to run sshd? Without that, it seems I can't run
Cygwin 1.7's sshd with key authentication.
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
- Raw text -