Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Message-ID: <03b201c35848$5113fd60$6902a8c0@markonius> From: "Mark Priest" To: Cc: "Myk Melez" References: <3F299C67 DOT 1070700 AT aol DOT net> <3F29C4F1 DOT 8010805 AT cygwin DOT com> <02e101c357e0$82350730$6902a8c0 AT markonius> <3F2A868F DOT 3050301 AT cygwin DOT com> Subject: Re: Administrator lacking super-user privileges on cygwin installation Date: Fri, 1 Aug 2003 12:16:51 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Larry, I realized after my post that what I said about SYSTEM was wrong. I was thinking of the files under /etc as you guessed. It's difficult to figure out what might be wrong here without some more info from Myk. It is possible that he ran ssh-user-config with nontsec and then changed to ntsec later. We would really need to see the output of getfacl on the .ssh directory and the key files in it to understand what is going on. It might also help to know the contents of sshd_config. I just noticed that I have StrictModes set to no on my system. Oops, I'm glad you mentioned that so I can close that security hole. :) -Mark ----- Original Message ----- From: "Larry Hall" To: "Mark Priest" Cc: ; "Myk Melez" Sent: Friday, August 01, 2003 11:26 AM Subject: Re: Administrator lacking super-user privileges on cygwin installation > Mark, > > Why do you think that SYSTEM should be the owner of files under > /home//.ssh? This would be true if you set up ssh for > the SYSTEM user but there really little point in that. Files under > ~/.ssh should be owned by the user. These files are created by > ssh-user-config. > > Are you referring to the /etc/ssh* files? These are created by > ssh-host-config and are owned by SYSTEM. However, these aren't the > files that are causing Myk problems (AFAICS from the information > provided). > > Playing with the $CYGWIN flags sshd uses is an interesting idea. It's > possible 'nontsec' might help, although it eliminates the security of the > private keys so it's not recommended. I've actually found that the only > combination of 'ntsec' or 'nontsec' and 'ntea' that makes any difference > is 'nontsec' and 'ntea'. With these two options, sshd won't event start > (Win32 error 1062: The service has not been started.) But I have > 'StrictModes' set in my /etc/sshd_config. Interestingly, just using > 'nontsec' doesn't cause the service to fail to start. I must have some > permission wrong somewhere. ;-) > > FWIW, unless Myk has set some very different values for the $CYGWIN > that 'sshd' uses, I don't think this is an issue. But it would be > helpful if Myk posted this information as well, if the goal is to get > some useful feedback from this list. > > Larry > > Mark Priest wrote: > > > Myk, > > > > I assume you are using Openssh? If you installed Openssh as a Windows > > service then SYSTEM is the owner of the files, otherwise the owner is > > whatever user did the installation. This is, of course, assuming that you > > used the ssh-host-config script in /bin. However, I have installed it both > > ways and I have not received the error you are describing. You might want > > to check the value of the CYGWIN environment variable. By default ntsec is > > turned on but if that variable includes "nontsec" or "ntea" then that might > > be what is causing your problem. > > > > -Mark > > > > ----- Original Message ----- > > From: "Larry Hall" > > To: "Myk Melez" > > Cc: > > Sent: Thursday, July 31, 2003 9:40 PM > > Subject: Re: Administrator lacking super-user privileges on cygwin > > installation > > > > > > > >>Myk Melez wrote: > >> > >> > >>>I have two machines with what look like identical cygwin installations > >>>on them, but the Administrator account on one of them doesn't have > >>>super-user privileges. This causes sshd not to have access to > >>>/home/some-user/.ssh (which is restricted to only "some-user") and thus > >>>prevents key-based authentication. Regular password-based > >>>authentication works, so the problem isn't sshd itself. Logging in as > >>>the Administrator and doing "ls /home/some-user/.ssh/*" gives me a > >>>"permission denied" error, which also confirms that the problem is with > >>>the permissions of the Administrator account and not sshd. > >>> > >>>The Administrator NT accounts (and Administrators NT groups) seem > >>>identical on the two machines, as are permissions for the C:\cygwin > >>>directory. Both systems had old cygwin installations on them that we > >>>blew away before installing the latest. What am I missing? > >> > >> > >>1. SYSTEM is the account that sshd runs as, not administrator. It's > >> the only default account that has permissions to switch user contexts > >> without authenticating the new user through Windows password mechanism > >> (for NT/W2K/XP). > >> > >>2. Only the owner of the private key files in .ssh should have permissions > >> to access these files. Public key files should be readable by anyone. > >> You'll want to check the permissions on these files relative to the > >> above. > >> > >>3. Generally, you should read . > >> > >> > >> > >>-- > >>Larry Hall http://www.rfk.com > >>RFK Partners, Inc. (508) 893-9779 - RFK Office > >>838 Washington Street (508) 893-9889 - FAX > >>Holliston, MA 01746 > > -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/