Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Message-ID: <20030711122612.20117.qmail@web13907.mail.yahoo.com>
Date: Fri, 11 Jul 2003 05:26:12 -0700 (PDT)
From: Prasad Dabak <pdabak AT yahoo DOT com>
Subject: Re: cygwin on Windows 2003...
To: cygwin AT cygwin DOT com
In-Reply-To: <20030711121516.GT12368@cygbert.vinschen.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii

Hello,

Thank you very much for all your help. I really
appreciate that.

I found a workaround, by setting the StrictModes
setting in \etc\sshd_config to "No". As you said
earlier, new cygwin is more strict in terms of
permissions and ownership. 

So now, I have openssh 2.5.2p2 and cygwin 1.3.22 on
Windows 2003 box with sshd running as a service in
SYSTEM context with password less authentication and I
am able to connect to it over SSH.

Thanks.
-Prasad




--- Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
wrote:
> On Fri, Jul 11, 2003 at 04:32:43AM -0700, Prasad
> Dabak wrote:
> > 1. I am using openssh 2.5.2p2 and cygwin 1.3.1
> using
> > passwordless authentication with sshd running in
> > SYSTEM context. I have been using this combination
> for
> > years on Windows 2000 and it works fine.
> 
> Just as a side note:  2.5.2 has a bunch of known
> security issues.
> It's recommended to upgrade to 3.6.1.
> 
> > 2. I tried the same combination of Windows 2003.
> Here
> > the SSH connection gets established. I don't get
> any
> > permission denied errors. However, when I ssh to
> the
> > box it fails with the error.
> > 
> > c:\bin\bash.exe: *** Couldn't reserve space for
> > cygwin's heap (0x24B0000) in child, cygheap, Win32
> > error 0
> 
> It fails for me in a different way with Cygwin
> 1.5.0.  I checked
> that the "Create a token object" privilege is not in
> the access
> token given to a SYSTEM service.  Therefore I'm
> actually confused
> by this description.
> 
> > 3. I fixed the cygwin heap problem by putting the
> > cygwin1.dll from 1.3.22. After this, when I ssh to
> the
> > box, I get the "Permission denied
> > (publickey,password,keyboard-interactive)." error.
> 
> Yes, that's what should happen.  The weird thing is
> that I *tested*
> that it fails with 1.5.0 (which is not different
> from 1.3.22 in
> terms of setuid/setgid handling) due to the missing
> privilege.
> I don't see that the Windows privilge should be in
> any way depending
> on the Cygwin version.  The call to NtCreateToken()
> fails with error
> 1314, "A required privilege is not held by the
> client."
> 
> > 4. Next, if I run the "sshd.exe" by interactively
> > logging onto the system as Administrator, then, I
> am
> > able to SSH to the box without any problems.
> 
> As administrator I assume?  In that case it's not
> relevant since
> then the logon account is equal to the account
> running sshd.  Therefore
> no user context switch happens. 
> 
> If you didn't explicitely changed the user
> permissions of the 
> Administrator account to contain the "Create a token
> object"
> privilege, you will not be able to change the user
> context in
> this scenario.
> 
> > So, now, I have two questions
> > 
> > 1. If I upgrade to latest version of openssh, will
> > this solve my problem? Will I be able to run sshd
> as a
> > service running in SYSTEM context with password
> less
> > authentication and be able to establish ssh
> connection
> 
> Yes and no.  As far as my testing goes, I could
> establish a situation
> in which sshd (3.6.2p1) is running as service,
> allows passwordless
> user context switch and runs the shell nicely.  But
> it only works if
> you create a special account for this, which is
> member of the admins
> group and has the additional user privileges "Create
> a token object",
> "Replace a process level token" and "Logon as a
> service".  Probably
> it makes sense to remove other privileges from that
> account, e.g.
> the right to logon locally or so.
> 
> Caution:  Don't use the account name "sshd" for
> that.  The "sshd" 
> account should be a non-privileged account which is
> used by sshd
> when privilege separation (available since OpenSSH
> 3.4) is used. 
> That account will be created on demand when you
> start `ssh-host-config'
> of current Cygwin OpenSSH versions.
> 
> > 2. If I don't upgrade to latest version of
> openssh, is
> > there any way workaround to be able to run sshd as
> a
> > service in SYSTEM context with password less
> > authentication and be able to establish ssh
> connection
> 
> I don't recommend that due to security concerns.
> 
> Corinna
> 
> -- 
> Corinna Vinschen                  Please, send mails
> regarding Cygwin to
> Cygwin Developer                               
> mailto:cygwin AT cygwin DOT com
> Red Hat, Inc.
> 
> --
> Unsubscribe info:     
> http://cygwin.com/ml/#unsubscribe-simple
> Problem reports:      
> http://cygwin.com/problems.html
> Documentation:         http://cygwin.com/docs.html
> FAQ:                   http://cygwin.com/faq/
> 


__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/