Mail Archives: cygwin/2010/06/25/22:33:41
Hello,
I just joined the list because I am having the same or similar problems tha=
t Andrew DeFaria reported on 6/2:
http://www.mail-archive.com/cygwin AT cygwin DOT com/msg109042.html
I've read some other posts in the archive that suggest this might be a 1.7.=
x specific issue, but I also found the following post from 2008, with cygwi=
n 1.5.25:
http://www.mail-archive.com/cygwin AT cygwin DOT com/msg89149.html
In my case, I've been able to work around this issue by running sshd as Loc=
alSystem and storing the user password in the LSA private registry area ('o=
ption 3' from http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overv=
iew). I was never able to get PKI working for all use cases using an nt ser=
vice running as a privileged user (local or domain). See below.=20
Some background of what I've tried:
After running ssh-host-config (letting it create a privileged user to run s=
shd), making a /etc/passwd entry for a domain user and copying public keys =
into its authorized_keys file, I was able to log in using public key auth, =
but ONLY if I used ssh for an interactive login. If I tried to ssh <command=
> or scp instead, I always got some form of the following error:
4 [main] sshd 4404 C:\cygwin\usr\sbin\sshd.exe: *** fatal error - could =
not load user32, Win32 error 1114
This happened with any non-interactive login from Linux -> 2003, Linux -> 2=
003R2, Linux -> 2000, 2003 -> 2003R2 and 2000 -> 2003R2. All the windows ho=
sts are 32bit and are joined to a single domain. I believe this is the same=
problem Andrew reported with his 'seacase' machine in his post on 6/2.
I tried making my user an administrator on the machine, using a local user =
to log in instead of a domain user, using a domain cyg_server privilege acc=
ount instead of a local one, etc. based on what I've seen suggested in the =
archives. In all cases, I get the above error when using pki for ssh <comma=
nd> or scp.=20
HOWEVER, when I started a cygwin shell as the cyg_server user and ran sshd =
in the foreground from the shell, I was able to ssh, ssh <command> and scp =
using pki without error, using both the domain and the local cyg_server acc=
ounts. So at least in my case with my testing I was only seeing the above e=
rror when running sshd as a service using these accounts.=20
As mentioned at the top of my mail, at this point I think I am going to run=
sshd as LocalSystem and use cygserver/stored passwords for this project.=
=20
Questions:
1. Is there any reason why sshd run as a service via cygrunsrv as a privile=
ged user would behave any differently than sshd run in a shell as that same=
user?
2. Based on the setuid overview it looks like running sshd as LocalSystem w=
ith cygserver and stored passwords should be identical to running sshd as a=
privileged domain account for the purposes of both PKI and privilege separ=
ation. Is this correct?
3. In my case, the ssh users are all being used for automated processes and=
do not have high privileges on the domain. Are there any big problems with=
using cygserver and stored passwords vs. using a privileged domain account=
in this situation? Stored passwords seem like a much safer option. Am I be=
ing naive here?=20
Thanks,
-Will
--
Will Saxon
Sage Software Healthcare
William DOT Saxon AT sage DOT com
www.sagehealth.com
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
- Raw text -