Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Reply-To: Cygwin List Message-Id: <6.1.0.6.0.20040512222556.031ef9c8@127.0.0.1> X-Sender: Date: Wed, 12 May 2004 22:53:37 -0400 To: "Brindl Ronald" , From: Larry Hall Subject: Re: AW: Inaccessible remote volumes when logged in via ssh In-Reply-To: <00fc01c43758$24e95e20$0500a8c0@ron> References: <00fc01c43758$24e95e20$0500a8c0 AT ron> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" At 09:01 AM 5/11/2004, you wrote: >I am logging in using password (i already heard of troubles using >publickey, altough i can log in as normal user using public key) >The volume is mounted using the explorer menu (extra -> connect drive, i >dont know if thats correct because i have a german version), and it is >configured to mount automatically at startup. Well, something is wrong with your password authentication then because the behavior you're getting is exactly the same as with public key authentication. >I just tried to use "net use" in my ssh-session and noticed it doesnt >work (system error 1312) >It is the same case as in >http://archive.erdelynet.com/ssh-l/2004-04/msg00033.php >And in >http://archive.erdelynet.com/ssh-l/2002-11/msg00006.php > >And >http://archive.erdelynet.com/ssh-l/2004-03/msg00057.php > >It has something to do with user-privileges and that the sshd runs as >user SYSTEM. It seems, that the ssh-sessions also runs as SYSTEM, and >not as user which logged in. No, that's not quite right. *If* you use password authentication when you 'ssh' into your Cygwin ssh server, you will be authenticated by Windows and have full access to whatever resource (including shares) Windows allows you. *If* you use public key authentication, you can access any resource that does not require Windows authentication (including public shares). Either way, you are running the 'ssh' session as the user you specify (or default to) for that session. Only 'sshd' runs as SYSTEM (by default). Running 'sshd' allows switching the user context from SYSTEM to the requested user for the 'ssh' session. >What i dont understand is, why it works when i log in locally via ssh >(ssh localhost -l bpc). It "works" because you're already authenticated with Windows on that machine as the user you're shelling in as. So Windows knows this user and therefore will provide access to the restricted resources. >It should also run as user system without >network-privileges. No that's incorrect. >I tried the following: >At /INTERACTIVE cmd > >Which should open a cmd-shell in one minute which runs as SYSTEM. >The shell opens and i also have no access to the network. That's expected. >So i tried to start the sshd service as user "sshd" (changed owner of >all files, adjusted the security policies etc). The service starts but >the strange result is, that i cant login with password anymore, only >with public key !!! And i still dont have acces to network . >When i do a ps -W -f i get: > > sshd 1608 1 ? 14:10:21 /usr/bin/cygrunsrv > sshd 1348 1720 ? 14:11:09 /usr/sbin/sshd > 0 756 0 ? 14:11:11 C:\cygwin\bin\bash.exe > bpc 1716 1680 1 14:11:46 /usr/bin/ps > 0 1760 0 ? 14:11:47 C:\cygwin\bin\ps.exe Don't know why you tried this but as you can see, it doesn't buy you anything. >So i assume, the shell still run under SYSTEM account No. Now it would be run as user 'sshd', with whatever privileges the 'sshd' user has. By default, this user has no ability to switch user contexts so no matter who you log in as, you will always be 'sshd'. >Trying around with UsePrivilegeSeperation i had trouble starting the >service at all. (complained about wrong privileges of /var/empty) If you start changing the user that 'sshd' runs as, you're going to need to be careful about resetting file ownership on many files and directories that 'sshd' and 'ssh' use. It isn't recommended that you run 'sshd' as any user other than SYSTEM (unless you're running on W2K3 - see the openssh README for details on running on that platform). At this point, you're probably best off removing 'openssh' from your system, cleaning up any leftover files, and reinstalling, using the install scripts and directions provided with the package. If you're still have problems, we need to know the steps you took, any messages you got, log files generated, configuration file settings, etc. But keep in mind you can find out allot about what 'sshd' and 'ssh' are doing by running them with verbosity/debugging turned on. See the man pages for details. -- Larry Hall http://www.rfk.com RFK Partners, Inc. (508) 893-9779 - RFK Office 838 Washington Street (508) 893-9889 - FAX Holliston, MA 01746 -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/