Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Message-ID: <3F688E83.600@speeq.com>
Date: Wed, 17 Sep 2003 18:40:35 +0200
From: Olivier ALLART <olivier DOT allart AT speeq DOT com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3.1) Gecko/20030425
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: SSHD, Cygwin and Windows 2003 : continued with user rights
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Following Mark J de Jong 's step by step howto (see end of mail for some 
add-ons), I can now effectively log in with pkey method (that is, no 
password) using the 'administrator' user name.
'whoami' returns 'administrator', however asking for a command such as 
IISRESET returns the error 'you are not a local administrator of this 
machine...', which means the rights management has failed somewhere.

What shall I do to be able tu run IISreset from ssh pkey under 
administrator ?


note :  suing to 'administrator' returns 'wrong password' after correct 
pass input, and loging via sshd with the 'local system sshd' method 
acknowledges the administrator to execute IISRESET..

that's why I wonder if adding the 'create token' n co stuff to the user 
SYSTEM wouldn't help, but I feel this is not a right thing to do ...

> Hello,
> I've looked and couldn't find decent docs on this so for those of you
> who are lookin', this is a quick howto on how to setup the
> Cygwin/OpenSSH daemon on M$ Windows 2003. This will fix the passwordless
> (ssh key) login issue.
>
> 1. Install Cygwin with the openssh binaries.... 

add the c:\cygwin\bin  to the path
add cygwin=ntsec tty environment variable

>
> 2. After completing the Cygwin setup, goto the cygwin command prompt and
> type 'ssh-host-config'
> 3. Answer 'y' when asked if you want to sshd with privilege separation.
> 4. Answer 'y' when asked if user sshd should be created by the script.
> 5. Answer 'y' when asked if you want sshd to be created as a service.
> 6. Create a new windows user named "sshdproc" or whatever you wish the
> sshd process account username to be. If you happen to notice the sshd
> user being disabled, don't enable it!
> 7. Place the sshdproc user in the "Administrators" group.
> 8. Give the sshdproc user the following system rights:
>     * Create a token object
>     * Log on as a service
>     * Replace a process level token
>
>     And for security.....
>     * Deny log on locally
>     * Deny access to this computer from the network
>
> 9. Reconfigure the "CYGWIN sshd service" to run as the new "sshdproc"
> user.
> 10. At the cygwin command prompt type 'mkpasswd -l |grep sshdproc >>
> /etc/passwd <enter>'
> 11. Type 'touch /var/log/sshd.log <enter>'
> 12. Type 'chmod 644 /var/log/sshd.log <enter>'
> 11. Type 'chown sshdproc /var/empty /var/log/sshd.log /etc/ssh_*
> <enter>'
> 12. Type 'cygrunsrv --start sshd <enter>'

also ssh-user-config

>
> That should be it.. Hope this helps! 


it helps, but not enough :)

>
>
> Best,
> Mark J. de Jong
>
>
>  
>


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/