delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin/2012/05/28/22:46:03

X-Recipient: archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status: No, hits=-4.0 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,KHOP_RCVD_TRUST,KHOP_THREADED,RCVD_IN_DNSWL_LOW,RCVD_IN_HOSTKARMA_YE
X-Spam-Check-By: sourceware.org
MIME-Version: 1.0
In-Reply-To: <CAKXb5pJjCBvbj1ZfU8WiEohz2QqW+edUi1Dz6anhELTk2wuZ_g@mail.gmail.com>
References: <CAKXb5pJZX7kaz12C1E-GEk7ws7oc2xAxQmr8EaND3KZ3_GzCmg AT mail DOT gmail DOT com> <CAKXb5pJjCBvbj1ZfU8WiEohz2QqW+edUi1Dz6anhELTk2wuZ_g AT mail DOT gmail DOT com>
Date: Tue, 29 May 2012 12:41:23 +1000
Message-ID: <CAKXb5p+ETsym1MtM3Ev964XN3aTLNMabSfPkSj0KEHE53GGZeg@mail.gmail.com>
Subject: Re: Seteuid "operation not permitted" error when using LSA for sshd
From: Mark Pattie <markpattie AT gmail DOT com>
To: cygwin AT cygwin DOT com
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
X-MIME-Autoconverted: from quoted-printable to 8bit by delorie.com id q4T2fn42003517 

I have now removed Cygwin completely from the server and reinstalled.
I am using the default service account that Cygwin creates for sshd
(cyg_server), removed the "create a token object" permission for this
account and configured the LSA package but have the same problem. Any
advice on troubleshooting this issue further or any insight would be
great.

Thanks,
Mark

On Mon, May 28, 2012 at 10:10 AM, Mark Pattie <markpattie AT gmail DOT com> wrote:
> Thanks for responding so quickly.
>
> In the security log I can see it has been assigned the privilege
> SeTcbPrivilege. Security log entry:
>
> Special privileges assigned to new logon.
>
> Subject:
>        Security ID:            BUILDSERVER\cygwin_sshd
>        Account Name:           cygwin_sshd
>        Account Domain:         BUILDSERVER
>        Logon ID:               0x12c1c4
>
> Privileges:             SeAssignPrimaryTokenPrivilege
>                        SeTcbPrivilege
>                        SeSecurityPrivilege
>                        SeTakeOwnershipPrivilege
>                        SeLoadDriverPrivilege
>                        SeBackupPrivilege
>                        SeRestorePrivilege
>                        SeDebugPrivilege
>                        SeSystemEnvironmentPrivilege
>                        SeImpersonatePrivilege
>
> In User Rights Assignment it has the following privileges:
>
> Act as part of the operating system
> Adjust memory quotas for a process
> Logon as a service
> Replace a process level token
>
> Thanks,
> Mark
>
>
>>Does the account have TCB rights?  That's required to run LSA auth.
>>Same for method 3, btw.
>>
>>
>>Corinna
>>
>>--
>>Corinna Vinschen                  Please, send mails regarding Cygwin to
>>Cygwin Project Co-Leader          cygwin AT cygwin DOT com
>>Red Hat
>>
>>On Fri, May 25, 2012 at 10:15 AM, Mark Pattie <markpattie AT gmail DOT com> wrote:
>> Hi all,
>>
>> I have installed Cygwin and am running sshd successfully. The
>> permission required for the sshd service account "create a token
>> object" is not permitted to be granted to any accounts in my
>> organization. As such I have decided to use LSA based on Method 2 on
>> the following page: http://cygwin.com/cygwin-ug-net/ntsec.html.
>>
>> I had succesfully tested ssh authentication with a public/private
>> certificate pair prior to running /usr/bin/cyglsa-config to install
>> LSA. I ran the script, removed the "create a token object" permission
>> and rebooted the server. Now I cannot authenticate using the
>> public/private keys. I receive the following error in the Windows
>> event log:
>>
>> sshd: PID 2780: fatal: seteuid 1003: Operation not permitted
>>
>> When I add the permission back to the service account and restart sshd
>> the public/private key authentication works again
>>
>> Any help would be great
>>
>> Thanks,
>> Mark

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019