Mail Archives: cygwin/2010/07/22/17:28:54
Thank you Chris for your reply.
>From: "Hunter, Bryan"
>The SSHD service is successfully running under the local cyg_server
>userid set up by ssh-host-config. Pulbic key authentication is
working.
>It is running on a Windows 2003 Server with Domain Security Policies
>being pushed down from the Domain server. Using the windows GUI,
access
>to change the local security settings is greyed out. After replication
>or some time passing, the cyg_server settings disappear from the local
>security settings. If running, the sshd service continues to work. If
>there is a need to restart the service, then the following procedure
>works:
>1 Stop the service
>2 Delete the service
>3 Delete the cyg_server userid
Both Local user and /etc/passwd
>4 Rerun ssh-host-config
>5 Restart the service
>I am trying to setup access to the entire domain, and to that end tried
>creating a domain userid with various policies to run the service.
When
>this userid propagates, it does not appear to propagate the "Create a
>token object" policy. When I run ssh-host-config and specify the new
>userid, I get a message that the userid has insufficient permissions.
>Indeed, it does not work. I am not sure which way to look at this, but
>can anyone provide some direction? Here are some points as I see them.
>1 The ssh-host-config program doesn't say what permissions are
>inadequate. Is there a specific list of what is needed?
>2 Is there a way to force ssh-host-config to create the permissions?
>It seems that it will only create permissions when creating a fresh new
>setup.
>3 If the local security policies are indeed being over written and
>the create token object doesn't propagate, then it looks like some
>additional process is needed to recreate the privileges?
>Is there a different way of going about this? Would it make any sense
>to install SSH on the domain controller itself?
>Any guidance in this matter would be appreciated.
>Best Regards,
>Bryan Hunter
>>From: Christoph Herdeg=20
>>Hi Bryan,
>>The local security policy is overwritten in all aspects that are
confugured
>>in the Default Domain Policy or any other GPOs that are used against
the
>>same Active Directory objects (Forrests, Sites, Domains, OUs).
>>You need to create the cyg_server account within Active Directory
Users &
>>Computers and setup Default Domain Policy to push the correct
permissions
>>to that user. You may need to put the account to a security group
having
>>administrative permissions on the local Domain Member machines.
I am not sure what you mean by pushing the permissions to the user. The
user has been given the following policies on the domain controller.
These were seen for a while on the file server except for Create a token
object which was never seen. The user is also an administrator on the
local machine.
Create a token object
Log on as a service
Replace a process level token
>>You need to setup /etc/passwd and /etc/groups on the local Domain
Member
>>machines to include the users and groups from your Domain (mkpasswd
and
>>mkgroup used with the according parameters).
>>You need to call ssh-host-config, e.g. like that: "ssh-host-config -y
-c
>>"tty ntsec" -u "Domain\cyg_server" --privideged".
Here are the results.
administrator AT detfs01 ~
$ ssh-host-config -y -c "tty ntsec" -u "TRADE\sshd_server_domain"
--privileged
*** Query: Overwrite existing /etc/ssh_config file? (yes/no) yes
*** Info: Creating default /etc/ssh_config file
*** Query: Overwrite existing /etc/sshd_config file? (yes/no) yes
*** Info: Creating default /etc/sshd_config file
*** Info: Privilege separation is set to yes by default since OpenSSH
3.3.
*** Info: However, this requires a non-privileged account called 'sshd'.
*** Info: For more info on privilege separation read
/usr/share/doc/openssh/README.privsep.
*** Query: Should privilege separation be used? (yes/no) yes
*** Info: Updating /etc/sshd_config file
*** Warning: The following functions require administrator privileges!
*** Query: Do you want to install sshd as a service?
*** Query: (Say "no" if it is already installed as a service) (yes/no)
yes
*** Query: Enter the value of CYGWIN for the daemon: [tty ntsec] tty
ntsec
*** Info: On Windows Server 2003, Windows Vista, and above, the
*** Info: SYSTEM account cannot setuid to other users -- a capability
*** Info: sshd requires. You need to have or to create a privileged
*** Info: account. This script will help you do so.
*** Info: You appear to be running Windows 2003 Server or later. On
2003
*** Info: and later systems, it's not possible to use the LocalSystem
*** Info: account for services that can change the user id without an
*** Info: explicit password (such as passwordless logins [e.g. public
key
*** Info: authentication] via sshd).
*** Info: If you want to enable that functionality, it's required to
create
*** Info: a new account with special privileges (unless a similar
account
*** Info: already exists). This account is then used to run these
special
*** Info: servers.
*** Info: Note that creating a new user requires that the current
account
*** Info: have Administrator privileges itself.
*** Info: This script plans to use 'TRADE\sshd_server_domain'.
*** Info: 'TRADE\sshd_server_domain' will only be used by registered
services.
*** Query: Create new privileged user account
'TRADE\sshd_server_domain'? (yes/no) yes
*** Info: Please enter a password for new user TRADE\sshd_server_domain.
Please be sure
*** Info: that this password matches the password rules given on your
system.
*** Info: Entering no password will exit the configuration.
*** Query: Please enter the password:
*** Query: Reenter:
*** Warning: Creating the user 'TRADE\sshd_server_domain' failed!
Reason:
The syntax of this command is:
NET USER
[username [password | *] [options]] [/DOMAIN]
username {password | *} /ADD [options] [/DOMAIN]
username [/DELETE] [/DOMAIN]
*** Info: Please enter a password for new user TRADE\sshd_server_domain.
Please be sure
*** Info: that this password matches the password rules given on your
system.
*** Info: Entering no password will exit the configuration.
*** Query: Please enter the password:
*** Query: Please enter the password:
*** Query: Please enter the password:
*** Query: Please enter the password:
*** Query: Please enter the password:
There are at least 2 issues here: 1) the syntax failure, and 2) the
program fails to exit when entering no password.
>>SSHD should work that way...
>>Best Regards, Chris
I looked into the ssh-host-config program which is a Red Hat bash script
and found the unusual arrangement whereby it runs differently when used
interactively. Specifically, if specifying all yes or no answers, the
script sets a force mode option apparently used by the CSIH routines
which is not available when running interactively. Therefore I tried
the following command to see if it would rebuild the
permissions/policies for the local user cyg_server once they had been
wiped out by the domain policies.
ssh-host-config -y -c "tty ntsec" -u "cyg_server" --privileged
Unfortunately, it still did not rebuild a working environment - public
key access fails.
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
- Raw text -