| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:subject:to:references:from:message-id:date | |
| :mime-version:in-reply-to:content-type | |
| :content-transfer-encoding; q=dns; s=default; b=o7Mo9L3wdRCE7XPk | |
| HES7mpDRtu5MZV2R7GP+IWbIcT6OxdpfJb7NTDJ2pG+Qjp9w60PMTsd6x7fFek+j | |
| GWSu2Xp9uaPI6ozF0QSgJi4uXib9j48WC8VRG2Bqksk75rJJietHuobzUAmd2DMA | |
| aysCjDaZhRIJy0VEbDmY1UddHLg= | |
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:subject:to:references:from:message-id:date | |
| :mime-version:in-reply-to:content-type | |
| :content-transfer-encoding; s=default; bh=+f9h+x6AWb53FjbYDFBI6j | |
| P+AWo=; b=MP6QxZKcvUxqlALn8gBEcEWmFJxaJX2OgN0yKWBScX9uS06W91Ar+c | |
| EIk1HA9mnXwzmkzf9SX/8/Wr09kOudIY15lzfmwULtkJprAzlDr/Xr//DeB37Sn9 | |
| q2S5HY9/QQDPE/14C3WFKrHB6TDnCirenmtkEdAvux/tHqLBM0p5g= | |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| Authentication-Results: | sourceware.org; auth=none |
| X-Spam-SWARE-Status: | No, score=-1.0 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_NONE,SPF_HELO_PASS autolearn=ham version=3.3.1 spammy=practices, password, risk, HContent-Transfer-Encoding:8bit |
| X-HELO: | mout.perfora.net |
| Subject: | Re: seteuid problem with sshd |
| To: | cygwin AT cygwin DOT com |
| References: | <68371e6b-aee9-4e70-d079-098160f7bf61 AT halcomp DOT com> <1231848485 DOT 20190314025011 AT yandex DOT ru> <032d1268-15e7-f10d-bdd7-45effb6b6a2b AT halcomp DOT com> <20190314094745 DOT GD3785 AT calimero DOT vinschen DOT de> |
| From: | Bruce Halco <bruce AT halcomp DOT com> |
| Message-ID: | <8162640b-6613-af68-af7d-4ec23009edc8@halcomp.com> |
| Date: | Thu, 14 Mar 2019 06:45:34 -0400 |
| User-Agent: | Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1 |
| MIME-Version: | 1.0 |
| In-Reply-To: | <20190314094745.GD3785@calimero.vinschen.de> |
On 3/14/19 5:47 AM, Corinna Vinschen wrote: > On Mar 13 22:20, Bruce Halco wrote: >> I had found nothing referencing "No such file or directory", which sounds >> rather different from a permissions problem. >> >> Running sshd under the Local System account made no difference. >> >> passwd -R was no help. >> >> What I did discover was that cygwin/sshd apparently now requires the Windows >> account to be Enabled. That was not the case previously. >> >> The target systems in my application are in restaurant offices, and only use >> a single Windows login. >> >> As the people who use ssh do not need local Windows accounts, I've always >> used the practice of Disabling those user accounts in Windows. The >> credentials were available to ssh, without the security issues of all those >> extra active accounts. >> >> Unless someone can suggest an alternative, I'll have to leave all those >> accounts Enabled. I can put some long, nasty passwords on them to keep the >> risk acceptable. > I'm sorry to say that, but there is no alternative. This has been > discussed at great length on thlis mailing list, starting at > > https://cygwin.com/ml/cygwin/2019-01/msg00197.html > > For starters, I added a special check to disable logging in with a > disabled account. However, the S4U logon method used by Cygwin now in > place of the old "Create user token from scratch" method(*) even checks > that automatically and does not allow disabled accounts to logon. > > Same goes for the `passwd -R' method as well as for normal password logon > since they have been introduced, btw, given they use the same underlying > WIndows function which actively checks for disabled accounts. > > Last but not least, the fact that some logon methods allowed disabled > accounts to logon and some didn't wasn't really a good idea to begin > with. > > > Corinna > > (*) https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd1 > Thank you for the information. I will adjust my practices to the new situation. Bruce -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |