Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Date: Fri, 11 Jul 2003 14:15:16 +0200
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: cygwin on Windows 2003...
Message-ID: <20030711121516.GT12368@cygbert.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <20030711105835 DOT GQ12368 AT cygbert DOT vinschen DOT de> <20030711113243 DOT 30760 DOT qmail AT web13906 DOT mail DOT yahoo DOT com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20030711113243.30760.qmail@web13906.mail.yahoo.com>
User-Agent: Mutt/1.4.1i

On Fri, Jul 11, 2003 at 04:32:43AM -0700, Prasad Dabak wrote:
> 1. I am using openssh 2.5.2p2 and cygwin 1.3.1 using
> passwordless authentication with sshd running in
> SYSTEM context. I have been using this combination for
> years on Windows 2000 and it works fine.

Just as a side note:  2.5.2 has a bunch of known security issues.
It's recommended to upgrade to 3.6.1.

> 2. I tried the same combination of Windows 2003. Here
> the SSH connection gets established. I don't get any
> permission denied errors. However, when I ssh to the
> box it fails with the error.
> 
> c:\bin\bash.exe: *** Couldn't reserve space for
> cygwin's heap (0x24B0000) in child, cygheap, Win32
> error 0

It fails for me in a different way with Cygwin 1.5.0.  I checked
that the "Create a token object" privilege is not in the access
token given to a SYSTEM service.  Therefore I'm actually confused
by this description.

> 3. I fixed the cygwin heap problem by putting the
> cygwin1.dll from 1.3.22. After this, when I ssh to the
> box, I get the "Permission denied
> (publickey,password,keyboard-interactive)." error.

Yes, that's what should happen.  The weird thing is that I *tested*
that it fails with 1.5.0 (which is not different from 1.3.22 in
terms of setuid/setgid handling) due to the missing privilege.
I don't see that the Windows privilge should be in any way depending
on the Cygwin version.  The call to NtCreateToken() fails with error
1314, "A required privilege is not held by the client."

> 4. Next, if I run the "sshd.exe" by interactively
> logging onto the system as Administrator, then, I am
> able to SSH to the box without any problems.

As administrator I assume?  In that case it's not relevant since
then the logon account is equal to the account running sshd.  Therefore
no user context switch happens. 

If you didn't explicitely changed the user permissions of the 
Administrator account to contain the "Create a token object"
privilege, you will not be able to change the user context in
this scenario.

> So, now, I have two questions
> 
> 1. If I upgrade to latest version of openssh, will
> this solve my problem? Will I be able to run sshd as a
> service running in SYSTEM context with password less
> authentication and be able to establish ssh connection

Yes and no.  As far as my testing goes, I could establish a situation
in which sshd (3.6.2p1) is running as service, allows passwordless
user context switch and runs the shell nicely.  But it only works if
you create a special account for this, which is member of the admins
group and has the additional user privileges "Create a token object",
"Replace a process level token" and "Logon as a service".  Probably
it makes sense to remove other privileges from that account, e.g.
the right to logon locally or so.

Caution:  Don't use the account name "sshd" for that.  The "sshd" 
account should be a non-privileged account which is used by sshd
when privilege separation (available since OpenSSH 3.4) is used. 
That account will be created on demand when you start `ssh-host-config'
of current Cygwin OpenSSH versions.

> 2. If I don't upgrade to latest version of openssh, is
> there any way workaround to be able to run sshd as a
> service in SYSTEM context with password less
> authentication and be able to establish ssh connection

I don't recommend that due to security concerns.

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin AT cygwin DOT com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/