| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:date:from:to:cc:subject:message-id:reply-to | |
| :references:mime-version:content-type:in-reply-to; q=dns; s= | |
| default; b=B1hh/4ZWnuP5UVq3JtnSmKMmTk8AxRM+14zgHaaAzoGJ7lpWNd1ut | |
| A4JELEWnXZm9vXDSRFNYosQJ7QtD9QoEUeZyJV1Qx7ftER4+lfS+Qu7V2yIA5klp | |
| MZPVmuGCuu2WjiJGyCPOV7f+JGviD/Vk7WLcAzp0LDd2ePc7FFK7oA= | |
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:date:from:to:cc:subject:message-id:reply-to | |
| :references:mime-version:content-type:in-reply-to; s=default; | |
| bh=nQdg4ioMQFeCdOEf87yAk/0STKc=; b=RYHljSUNfBowyts7vNhvESI0q964 | |
| fbkw7+KDiGIYZ4aEWtEhAH1zJy/4/G41liW0X+AoeoqLuy3v3Y7nXZfkEj/VT6qy | |
| deOtCRmZ3/wR9sbL7XuKcHG4LL4CKaXq5KIeOtBAPA701SuhgCUdQGibuk7xNiBg | |
| G6gRAxObsan14lg= | |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| Authentication-Results: | sourceware.org; auth=none |
| X-Spam-SWARE-Status: | No, score=-102.6 required=5.0 tests=AWL,BAYES_00,GOOD_FROM_CORINNA_CYGWIN,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 spammy=HTo:U*bruce, password, H*F:D*cygwin.com, risk |
| X-HELO: | mout.kundenserver.de |
| Date: | Thu, 14 Mar 2019 10:47:45 +0100 |
| From: | Corinna Vinschen <corinna-cygwin AT cygwin DOT com> |
| To: | Bruce Halco <bruce AT halcomp DOT com> |
| Cc: | cygwin AT cygwin DOT com |
| Subject: | Re: seteuid problem with sshd |
| Message-ID: | <20190314094745.GD3785@calimero.vinschen.de> |
| Reply-To: | cygwin AT cygwin DOT com |
| Mail-Followup-To: | Bruce Halco <bruce AT halcomp DOT com>, cygwin AT cygwin DOT com |
| References: | <68371e6b-aee9-4e70-d079-098160f7bf61 AT halcomp DOT com> <1231848485 DOT 20190314025011 AT yandex DOT ru> <032d1268-15e7-f10d-bdd7-45effb6b6a2b AT halcomp DOT com> |
| MIME-Version: | 1.0 |
| In-Reply-To: | <032d1268-15e7-f10d-bdd7-45effb6b6a2b@halcomp.com> |
| User-Agent: | Mutt/1.11.3 (2019-02-01) |
--UGQe+kC6sZm6KOhh Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mar 13 22:20, Bruce Halco wrote: > I had found nothing referencing "No such file or directory", which sounds > rather different from a permissions problem. >=20 > Running sshd under the Local System account made no difference. >=20 > passwd -R was no help. >=20 > What I did discover was that cygwin/sshd apparently now requires the Wind= ows > account to be Enabled.=C2=A0 That was not the case previously. >=20 > The target systems in my application are in restaurant offices, and only = use > a single Windows login. >=20 > As the people who use ssh do not need local Windows accounts, I've always > used the practice of Disabling those user accounts in Windows. The > credentials were available to ssh, without the security issues of all tho= se > extra active accounts. >=20 > Unless someone can suggest an alternative, I'll have to leave all those > accounts Enabled. I can put some long, nasty passwords on them to keep the > risk acceptable. I'm sorry to say that, but there is no alternative. This has been discussed at great length on thlis mailing list, starting at https://cygwin.com/ml/cygwin/2019-01/msg00197.html For starters, I added a special check to disable logging in with a disabled account. However, the S4U logon method used by Cygwin now in place of the old "Create user token from scratch" method(*) even checks that automatically and does not allow disabled accounts to logon. Same goes for the `passwd -R' method as well as for normal password logon since they have been introduced, btw, given they use the same underlying WIndows function which actively checks for disabled accounts. Last but not least, the fact that some logon methods allowed disabled accounts to logon and some didn't wasn't really a good idea to begin with. Corinna (*) https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd1 --=20 Corinna Vinschen Cygwin Maintainer --UGQe+kC6sZm6KOhh Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEoVYPmneWZnwT6kwF9TYGna5ET6AFAlyKI0EACgkQ9TYGna5E T6ABfA/8Csnssc2kRWk0jtoIXJ5dS/QtmxajIskM0CYOyAlmFtsxlqnG3mqCMkCh a2uyQGaQ3Z1z01DusDH2awXS3IZcIQ3Gqw4Jswryw0OqoM9357jakaufFkL87OMf doFbq7HoSbifsZGIzsGuEN331Pwbr+yjLcRMDixWAK0p0lLYklYgTllyv0UGTES7 DaZweGsktAbQh7zZ7lJwaafVIRgf09MifgKzkk4bwnchMd/c4jW40JI4rm/KlShh DWBwm/9dEmREKQycllrwLDsZ1J1I03rLzNi4YzhSixO+f8tnRtNtMyeqS0NFVKel hd436JOaASGtSgRnp8jV0guSKUdjMLtkJWVeM+L/usV7mYLnkbzRqtiKU0moT413 JNSbDWocd/l2kGa200LGjFIZlPqnmSyPaZyiGVmGWjfq24m+XQPaa4x3lWbQO3Be YGMafvMi5Ot2g3BGy/m9bYc/wftSWCEncORzXjAWP14AtqLnffLCe5cctUehNVmU gz+cww/UMsYuPrgGBguIkJyfY0bGAZGPmHCFKHauAkOmFoPn9/XYjyQzFCHxxiXY bCKbagFLpC2A1DlW3c8+nlqKxgMr84fKcI9HAb5gw3SbZF9QFU3UFy2cSkWUG026 /1t/rPdQ/7KOW621mweb9SsZeC1YEx81ysuty0Sc4YQjTSn9mZ4= =u5D7 -----END PGP SIGNATURE----- --UGQe+kC6sZm6KOhh--
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |