Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
X-Authentication-Warning: eos.vss.fsi.com: ford owned process doing -bs
Date: Thu, 11 Dec 2003 10:47:48 -0600 (CST)
From: Brian Ford <ford AT vss DOT fsi DOT com>
X-X-Sender: ford AT eos
To: Matthew McGillis <matthew AT mcgillis DOT org>
cc: cygwin AT cygwin DOT com
Subject: Re: shell under sshd fail to fork child process
In-Reply-To: <a06002003bbfd706ff572@[65.102.135.163]>
Message-ID: <Pine.GSO.4.58.0312111039100.23399@eos>
References: <a06002002bbfd69e06bbb@[65.102.135.163]> <Pine DOT GSO DOT 4 DOT 58 DOT 0312101844520 DOT 28297 AT eos>
 <a06002003bbfd706ff572@[65.102.135.163]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

Disclaimer: I am not an ssh expert by any means.  But, I have read enough
ssh related list traffic to know that the following is not supported.

On Thu, 11 Dec 2003, Matthew McGillis wrote:
> Brian Ford wrote:
> >Matthew McGillis wrote:
> >> I have installed the latest and greatest cygwin and sshd on a Small
> >>  Business Windows Server 2003. Everything works great on the console
> >>  and ssh'ing in and out works fine. However once I access the web
> >>  server running on the box anyone sshd in will no longer be able to
> >>  run anything that creates a child process. All cygwin functionality
> >>  from the console still works fine. I can look at the processes and
> >>  see srvc sshd and shells all running under SYSTEM.
> >>
> >Oops!                                         ^^^^^^
> >
> Not sure what your suggesting with this but for clarification I
> should point out that the bash child shells of sshd are not running
> as SYSTEM but as who ever logged in. My main point with that is that
> from the console it is still easy to see that things look fairly
> normal even though those shells tied to sshd can not fork processes.
>
What I was suggesting was to take that clue and read:

/usr/share/doc/Cygwin/openssh.README

If you had done that, you would have seen the following without me having
to point it out to you and clutter the list with documentation excerpts.

This is the end of my knowledge in this area, so if you have further
problems, please take a close look at http://www.cygwin.com/problems.html
before posting again.  Then, maybe someone else will be able to help more.

Important note for Windows 2003 Server users:
---------------------------------------------

2003 Server has a funny new feature.  When starting services under SYSTEM
account, these services have nearly all user rights which SYSTEM holds...
except for the "Create a token object" right, which is needed to allow
public key authentication :-(

There's no way around this, except for creating a substitute account which
has the appropriate privileges.  Basically, this account should be member
of the administrators group, plus it should have the following user
rights:

        Create a token object
        Logon as a service
        Replace a process level token
        Increase Quota

The ssh-host-config script asks you, if it should create such an account,
called "sshd_server".  If you say "no" here, you're on your own.  Please
follow the instruction in ssh-host-config exactly if possible.  Note that
ssh-user-config sets the permissions on 2003 Server machines dependent of
whether a sshd_server account exists or not.

-- 
Brian Ford
Senior Realtime Software Engineer
VITAL - Visual Simulation Systems
FlightSafety International
Phone: 314-551-8460
Fax:   314-551-8444

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/