X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:reply-to:mime-version:to
	:subject:references:in-reply-to:content-type
	:content-transfer-encoding; q=dns; s=default; b=KUmmK0n/HV6HW7gG
	VydGdcMuBaWXqLjnRRwl0oUdiWN61cFzWxogBat0Hkj2oDjRnYZ2ja+LoJtSHJe7
	jyrqlGEDXcktcKO+/GeXrHIHD+aEdEAEix4hhr+asKf4Zuov6bet1414ZB7eWoHl
	tPPkzwUTMphzo+YPwD2HDuMCwZk=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:reply-to:mime-version:to
	:subject:references:in-reply-to:content-type
	:content-transfer-encoding; s=default; bh=7jYasV62/nsyq8P2l5Tukx
	5RYYU=; b=hcug3lgk3ygtVjmJ2JgzYKIM2zEXiqB1L4OtHhbu9FhAeOs0TF+Qdm
	Ja+gTVsCLD0sa91n8bBHzXVwqHs3SfSeO2uOOZ5hqnNZ/ScNhFrpf/aDVJGcP0mx
	s/1WsoN3jLFcjI6cOk+H4pcQk2Eh+5YxOfgdV7aZF3Ml0FACJliZo=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
X-Spam-SWARE-Status:	No, score=1.0 required=5.0 tests=AWL,BAYES_40,KHOP_THREADED,RCVD_IN_DNSWL_NONE,RCVD_IN_HOSTKARMA_YE,RDNS_NONE autolearn=no version=3.3.1
Message-id:	<51FF003C.4000807@cygwin.com>
Date:	Sun, 04 Aug 2013 21:30:36 -0400
From:	"Larry Hall (Cygwin)" <reply-to-list-only-lh AT cygwin DOT com>
Reply-to:	cygwin AT cygwin DOT com
User-Agent:	Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130620 Thunderbird/17.0.7
MIME-version:	1.0
To:	cygwin AT cygwin DOT com
Subject:	Re: ssh login no longer allowed by local accounts other than main administrator account after taking machine off domain
References:	<CABSJGg182WMvAT90f8X3GVcBkTKj7nGXmY8BAPTcgsqQLwGomQ AT mail DOT gmail DOT com>
In-reply-to:	<CABSJGg182WMvAT90f8X3GVcBkTKj7nGXmY8BAPTcgsqQLwGomQ@mail.gmail.com>

On 8/2/2013 3:13 PM, Yuki Ishibashi wrote:
> Hi all,
>
> Recently I've been tasked with taking a Win7 machine that was running
> Cygwin and sshd off of my company's old Active Directory domain...
>
> Before taking the machine off the domain I created local accounts that
> were able to be ssh'd into (our other servers were able to SSH into
> the Win7 machine using ssh keys and the newly created local accounts),
> but once I took the machine off the domain only the newly created
> 'OpsAdmin' local administrator account is allowed to SSH in
> successfully .
>
> For the rest of the local accounts connection is accepted, and
> password security is accepted, Authentication succeeded, ssh sends
> 'Last login', then says:
> /bin/bash: Operation not permitted
> and closes the connection .

'bash' will report this when it runs into a permission problem while
running a script.  What this suggests to me is that your .bash_profile
and/or other login scripts aren't owned by the "new" owners that you
created as local accounts.

<snip>

> I've tried to re-run ssh-host-config and said 'yes' to all of the
> options (yes to priviledge separation), it mentions the sshd service
> is already installed, and completely successfully. "net start sshd"
> then works correctly, with the behavior I described above.
>
> In the Windows Services side, CYGWIN sshd service seems to only start
> correctly if I login as the main local administrator account.

This is certainly troubling.  Presumably you were always starting 'sshd'
previously with a 'cyg-server' account that was created on the domain.
Starting it as a local administrator would not give you all the permissions
you need to switch user contexts for pubkey authentication, even if you
were only working with local users (which you have clearly stated you
were not).  I'd highly recommend that you review the permissions and
ownership settings that 'ssh-host-config' performs and make sure that
all the files and directories it sets up have only those permissions
and owners.  Anything else puts you in the "you better know what you're
doing" category.

> many of the files in the C:\cygwin\ folder on the Windows Explorer
> side of things have Everyone Read & execute permissions (plus main
> administrator account)  full permissions, and the 'None' group able to
> read and execute, Administrators group able to Read write & execute.
> On the / Cygwin console-side, I see a lot of ownership by the previous
> admin username and Domain Users group, some files with
> 'Administrators' owner, 'Domain Users' Group, and a few others with
> the local administrator owner, 'Administrators' group.

OK, so it sounds like you haven't changed the permissions and ownership
of at least the home directories that you're trying to access now with
the local accounts.  You need to do that otherwise 'bash' won't be able
to run the login scripts and, um,... permission will be denied. ;-)

<snip>

A couple of other notes:

   1. You're running Cygwin package version 1.7.16.  The current version
      is 1.7.22, so you're 6 versions out of date.

   2. Your cygcheck output suggests that the standalone OpenSSH package,
      which uses Cygwin, is installed.  It's best to remove it.

-- 
Larry

_____________________________________________________________________

A: Yes.
 > Q: Are you sure?
 >> A: Because it reverses the logical flow of conversation.
 >>> Q: Why is top posting annoying in email?

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -