Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Message-ID: <3FA64601.9080900@rhetorical.com>
Date: Mon, 03 Nov 2003 12:11:45 +0000
From: Paul Chorley <paulch AT rhetorical DOT com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: setreuid: permission denied for sshd under non-system account
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Hi,

I have installed the cygwin port of openssh on a Win2k box and set up 
passwordless authentication using .ssh/id_rsa and .ssh/authorized_hosts 
in the normal way.  Everything works fine and I can ssh to the Windows 
box without a password.  My problem arises when I change the user that 
runs the sshd service. 

Following Corrina's instructions, I set up a local user (sshsvc) as a 
member of the Administrators group and have given that user the 
following user rights:

Act as part of operating system.
Create a token object.
Replace a process level token.
Log on as a service.

After setting the ownership of the /etc/ssh*, /var/empty (when using 
privaledge separation) and /var/log/sshd.log I can start the service.

With the client and server in debug mode I try to connect and  the 
client appears to log in, but immediately logs back out again.  The 
server log shows that a call to permanently_set_uid is followed by a 
call to setreuid, which fails with 'permission denied'.

I guess that this is Windows refusing to allow the sshsvc user to switch 
to the real user that i'm trying to log in as.
I was lead to believe from the docs and from Corinna's posts that the 
user rights settings would have dealt with this problem, but they don't.

What am I doing wrong here?  Any help is appreciated.

Paul.




--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/