Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Message-ID: <20030512151104.42554.qmail@web40409.mail.yahoo.com> Date: Mon, 12 May 2003 17:11:04 +0200 (CEST) From: =?iso-8859-1?q?richard=20dje?= Subject: Re: HELP: sshd/multi-user how-to To: cygwin AT cygwin DOT com In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Hi Elfyn and Igor, Thank you for your quick feedbacks and sorry for the delay in giving my feedback :-) --- Elfyn McBratney a écrit : > On Sat, 10 May 2003, richard dje wrote: > > > I'm trying to setup a cvs server on cygwin over ssh. > > See below... > > > I have cygwin v1.3.22.1 installed on a win2k box. > > I also installed the latest version of openSSH, and all related packages. > > > > I also learned that one need to create a windows account for each user > > willing to connect to the server. > > > > In order to do some testing i just created 2 accounts on the windows > > machine,say USER1 and USER2. > > > > To enable connections through ssh one need to correctly setup 'sshd'. For > that > > USER1 ran 'ssh-host-config', since /etc/ssh_host_* files must be > > read/write-able by only one account. Normally that user should have been > > 'root'. Browsing the web, i saw that it was not that simple > > on cygwin (Please correct me if i am wrong). > > > > Files > > /etc/ssh_host_key, > > /etc/ssh_host_rsa_key, > > /etc/ssh_host_dsa_key > > > > should not be group and world-accessible. > > > > I then launched the following two commands > > $ mkpasswd -l > /etc/passwd > > $ mkgroup -l > /etc/group > > > > Their content looks OK. > > > > I then gathered USER1 and USER2 ssh2-rsa publickeys and put them in > > their respective $HOME/.ssh/authorized_keys2 (on the server machine). > > > > The windows machine was then booted on USER1 account in order to be able > > to start 'sshd' by means of '/etc/rc.d/init.d/sshd start' > > > > Connecting remotely to USER1 account by the following command worked just > fine > > $ ssh -v USER1 AT server_ip_address > > > > But trying to do the same for USER2 by using > > $ ssh -v USER2 AT ser_ip_address > > just failed, since i am asked to provide a password. > > The above command output showed me that the ssh2-rsa publickey auth just > > failed. > > > > > > QUESTION: > > - Is the above configuration feasible ? > > assuming USER1 is a poweruser, > > USER2, USER3, ..., USERN are simple user. > > If what you are doing is running sshd as user1 while wanting to allow > user{2,3,4} to also login you will need to give user1 extended privileges > (info at ) so > that it can switch user context (setuid). I added the following three additional user rights to USER1: - "Act as part of the operating system" - "Replace process level token" - "Increase quotas" But it still does not work. What i tried next was to launch 'sshd' via 'init'. For that, i installed 'init' as a windows service through 'init-config' Restarting the machine, and doing a 'ps -a' showed me that 'init', 'sshd' and 'xinetd' were running with UID=18 /etc/ssh_* and /var/empty files are now owned by SYSTEM. I said to myself, GREAT things are going to work now. :-) Doing a simple 'ssh USER1 AT server_ip_address' locally or remotely gave me the same result : I am asked for a passord. Worst, now 'sshd' keeps asking a passwd for all connection it receives. I checked 'sshd' was effectively running my means of '/etc/rc.d/init.d/sshd status' (one never know) I also tried launching 'sshd' alone as a windows service through 'ssh-host-config'. I did a 'chown USER1 /etc/ssh* /var/empty'. I then rebooted the machine, everything went well till i tried the above ssh commands (i.e, same results), that is, no way to ssh to the server. :-((( I should have missed something, but i can't find out what !! > > - Does cygwin/cvs works fine in server mode using 'ext' protocol (ssh) ? > > A few people, including myself, have had a running cvs server but not for > a record length of time. I was able to keep a server going for two days, > and then it started giving me assert'ions. What do you mean by assert'ions ? Are you saying that cygwin/cvs server may not be stable enough ??? I really want to setup a cygwin/cvs server over ssh, but if it is not stable enough then i'll give up. I also read on the web, that setting up a cvs server using CVSNT/Pserver/ssh was not that easy. > > - Security-wise is (cygwin/cvs server / ssh) a good choice ? > > IMO, Yes. But there are concerns about shared memory and such. A search of > the archives might(tm) give you more information. May be i am blind but i did not find any relevant informations (I should be blind) But the way a cvs server is normally used do you think these kind of problems are critical. The cvs server will actively be used by almost 15 designers. > -- > Elfyn McBratney > Systems Administrator > ABCtales.com > > > > -- > Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple > Problem reports: http://cygwin.com/problems.html > Documentation: http://cygwin.com/docs.html > FAQ: http://cygwin.com/faq/ > Please, 'Au secours' (= 'help' in french) i'm lost. -Richard ___________________________________________________________ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français ! Yahoo! Mail : http://fr.mail.yahoo.com -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/