| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:to:from:subject:message-id:date:mime-version | |
| :content-type:content-transfer-encoding; q=dns; s=default; b=gO5 | |
| 5jd/0NrBgq3+74dSQM3VqtH7iq2ca4lMLUO7jnFHCpOw1hTRYF0ixemxRkInm705 | |
| Rz1onuuRRXQ1LeJU4QSSR7cCrvOjSr1FWfn9tF0lBXBf8W+Qjp9qJvrGePrVXByN | |
| BJUW3OHggxrmRitS4qBRuZy5vido+5Wp/CkCvkEY= | |
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:to:from:subject:message-id:date:mime-version | |
| :content-type:content-transfer-encoding; s=default; bh=8ZjTnLtyv | |
| OLL+NA6jhTGDn5hkRw=; b=Bze0PW0F3SMfmA2z/j/oCsZKzIkhdaO5IyUBQ+ZCU | |
| MzdXLlK2oCTfWK4wpdKncmKWR0Xynh9zjzh0orOA/9CBVoJCSQM4dF5Tt0Vab5Qz | |
| hHvTUYzv9lsM1e5vQqY3ZmpoXNUDbHZWVfJc4zy3ZH49frHa1I2y+9a43e4V7gr9 | |
| Po= | |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| Authentication-Results: | sourceware.org; auth=none |
| X-Virus-Found: | No |
| X-Spam-SWARE-Status: | No, score=1.2 required=5.0 tests=AWL,BAYES_20,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,RP_MATCHES_RCVD,SPF_PASS autolearn=ham version=3.3.2 spammy=logout, whoami, UD:ntsec.html, cygwin-ug-net |
| X-HELO: | sneak2.sneakemail.com |
| To: | cygwin AT cygwin DOT com |
| From: | "Robert Jacobson" <q7zfcru02 AT sneakemail DOT com> |
| Subject: | sshd: testing whether login was via public key or password? |
| Message-ID: | <31708-1454085768-838778@sneakemail.com> |
| Date: | Fri, 29 Jan 2016 11:42:47 -0500 |
| User-Agent: | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1 |
| MIME-Version: | 1.0 |
| X-IsSubscribed: | yes |
Hi, Short version: "schtasks /change" fails because I used SSH public key auth. I'd like to add error checking to script I run, so that it exits if the user doesn't have the right session token (password), and "fix" SSH public key login so I get the right privileges. How best to do that? I've read the following but not sure I understand it enough to pick the "best" method: https://cygwin.com/cygwin-ug-net/ntsec.html The full issue: I'm attempting to remotely change passwords for some Windows scheduled tasks. After logging in (via SSH public key) I could change the passwords for tasks for different (non-admin) accounts, but not my own admin account. # After logging in with SSH pub key: $ id -G | grep -qE '\<(544|0)\>' && echo admin || echo user admin $ whoami Administrator $ schtasks /query /TN "\backup_web_users" /v /fo list | grep 'Run As' Run As User: Administrator $ schtasks /change /RP newpassword /TN "\backup_web_users" ERROR: Logon failure: unknown user name or bad password. ### Note: if one tries to do above cmd repeatedly, you might lock ### your account after too many login attempts # But for a regular user account, it worked OK: $ schtasks /query /TN "\Cleanup Old" /v /fo list | grep 'Run As' Run As User: HOSTNAME\nonadminuser $ schtasks /change /RP newpassword /TN "\Cleanup Old" SUCCESS: The parameters of scheduled task "\Cleanup Old" have been changed. I figured out the above "Logon failure" was due to logging in via SSH public key, reference: https://cygwin.com/ml/cygwin/2004-09/msg00087.html As noted in the reference above, if I login via SSH using my password, I can successfully change the scheduled task password for Administrator tasks. Similarly, it works if I save my password using "passwd -R". We would like to continue to require public key auth because it is more secure (our public keys are from smartcards, so it's effectively two-factor authentication). I've already confirmed that storing the passwd with "passwd -R" works. I have not tried using cyglsa-config -- would that help? My understanding is that local access would work but access to network resources would not. I would think scheduled tasks are local so it should work but did not want to modify my system yet without some feedback from cygwin experts :) Also, is there another way I might obtain the proper privs/session token, WITHOUT storing the password permanently? I noticed that running "passwd -R" doesn't help with the CURRENT ssh session; i.e. I would have to logout and login again. Finally, the obvious way of checking if the proper privileges are present is simply trying the "schtasks" command and seeing if it fails by checking the exit status. I'm just wondering (for academic reasons) if there's a better way. Perhaps there is some "view my current session token" command? If it matters: $ uname -a CYGWIN_NT-6.1-WOW nissan 2.2.1(0.289/5/3) 2015-08-20 11:40 i686 Cygwin The OS is Server 2008 R2 64-bit. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |