Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Date: Fri, 26 Jul 2002 09:30:09 EDT
To: cygwin <cygwin AT cygwin DOT com>
Subject: Re: W2K and sshd, ssh  - asks for password
Message-Id: <VA.00000c2a.004a6713@thesoftwaresource.com>
From: Brian Keener <bkeener AT thesoftwaresource DOT com>
Reply-To: bkeener AT thesoftwaresource DOT com
In-Reply-To: <20020725112023.B14134@cygbert.vinschen.de>
References: <VA DOT 00000c0e DOT 002c0d59 AT thesoftwaresource DOT com> <20020724163138 DOT F3921 AT cygbert DOT vinschen DOT de> <VA DOT 00000c10 DOT 00aec8ba AT thesoftwaresource DOT com> <20020724201757 DOT GC21112 AT redhat DOT com> <VA DOT 00000c11 DOT 0214eedd AT thesoftwaresource DOT com> <00da01c2336a$b940b210$0100a8c0 AT wdg DOT uk DOT ibm DOT com> <20020725112023 DOT B14134 AT cygbert DOT vinschen DOT de>

Corinna Vinschen wrote:
> > I think that only the POSIX file mode using ACLs requires NTFS. The rest of what
> > ntsec does just requires an NT OS, and FAT will do.
> 
> You're right.  You just don't get real POSIX permissions on files,
> but on process level ntsec still works.
>

Well you guys just clarified and confirmed what I discovered last night and problem 
now solved (partly) and sshd/ssh appears to be functioning as it should at least 
from the SYSTEM bash shell.

I prepared and did the following test as Max described:
> The server needs to run under the SYSTEM account, so you will need to get a
> shell running under this account: As an administrator, run 'at hh:mm
> /interactive C:\cygwin\cygwin.bat', where hh:mm is current time +1m. Once the
> minute rolls over, you will have a bash shell running as SYSTEM. Now run
> '/usr/sbin/sshd -ddde >sshd-log 2>&1'. Now, in a separate shell (not as SYSTEM),
> try to log in - 'ssh myuser AT localhost' As soon as you get the password prompt,
> Ctrl-C. The sshd will exit as it is running in debug mode. Send sshd-log to
> cygwin AT cygwin DOT com in the body of an email.

and I had the file all prepared to email and then decided based on his other 
comments about ntsec that I would just give it a try (which I should have done in 
the first place and saved everyone a lot of grief - but I was afraid of the NTFS 
requirement and screwing something up big time).  Lo and behold with sshd started as 
Max described and with NTSEC as part of my CYGWIN variable - I could type in:

ssh localhost

and there I was - the message of the day and logged in via SSH without it asking for 
a password.

I then decided to try sshd as a service again (installed and started from within the 
SYSTEM bash shell I had running) but this time however it was back to asking for my 
password.  I tried testing various combinations of using the bash shell with user 
SYSTEM (as Max described above) and ntsec in my CYGWIN variable and essentially 
discovered the following:

If I start sshd as a service it doesn't matter if I have ntsec in the CYGWIN 
environmental variable or not - it still will ask me for the password.  Whereas if I 
start sshd as Max described above without ntsec then ssh will ask for a password, 
but with ntsec then ssh will simply logon to the server and not ask for the 
password.

One thing I have noticed though is that when I use cygrunsrv to install sshd as a 
service (with the cygwin variable specified with ntsec specified) and then go look 
at the service that was created - I see where it references cygrunsrv.exe but see no 
reference to those parameters about the cygwin variable.  This is on a Windows 2000 
system - where is this information kept that would cause sshd to start as a service 
with the cygwin variable set as required?  This is probably the big question that 
will fix my service problem.

So I now have learned (and you folks confirmed) that ntsec does affect part of the 
system even when you don't NTFS.

Good to know and thanks for the clarification from both of you.  Now any ideas why 
running from the SYSTEM bash shell (with ntsec in use) sshd/ssh doesn't require the 
password but running as a service it does?  Is this as I surmise a problem with the 
way the service is created and thus being run.

bk



--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/