Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Message-Id: <200505060118.j461IpC23352@webmail.pulsemining.com.au>
From: "Stuart Westbury" <swestbury AT pulsemining DOT com DOT au>
To: <cygwin AT cygwin DOT com>
Subject: RE: SSHD key based authentication hangs cscript
Date: Fri, 6 May 2005 11:17:38 +1000
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
In-Reply-To: <Pine.GSO.4.61.0505042321450.17497@slinky.cs.nyu.edu>
X-IsSubscribed: yes

Hi All, 

Thanks for the suggestions. They look like exactly what we need as we will
only require this for one user to run 3 commands. Two of them already work
as intended, it's just the 3rd that seems to rely on this token.  

I have run into problems though, and it's most likely my ignorance. Is there
a document that explains the process of logging in as the user running the
service? I have attempted to login using the sshd_server user, but this
fails even after all the policies that deny it access in "Default Domain
Controller Security Policy" are removed. 

These are: 

> "Deny Access to this Computer from the network"	
> "Deny logon locally" 

These ones I left alone and then removed them when the above two didn't give
me results:

> "Replace a process level token" 
> "Create a token object"

This I figured was essential and never modified it. 

> "Log on as a service" 

I do understand some of this may compromise security, but at this stage I am
not concerned as this will run in a trusted and firewalled environment. 

I also can't run the service as administrator. Any attempts to change this
hang the service until the cygrunsrv process is killed. Any ideas on what I
am doing wrong? The administrator service is allowed to log on as a service
by default. 

What exactly is the prerequisite for logging into a cygwin sshd server on
the user side? I have found that any new accounts I add to our active
directory don't seem to appear in /etc/passwd? Should they? Also, it seems
that only administrator accounts created prior to the cygwin install are
allowed a login to the server. Is this normal?   

Thanks again for all your suggestions so far folks, 
Stuart 

-----Original Message-----
From: Igor Pechtchanski [mailto:pechtcha AT cs DOT nyu DOT edu] 
Sent: Thursday, 5 May 2005 1:32 PM
To: Stuart Westbury
Cc: cygwin AT cygwin DOT com
Subject: RE: SSHD key based authentication hangs cscript

On Thu, 5 May 2005, Stuart Westbury wrote:

> Thanks for the prompt response Corinna.
>
> At least I now know.
>
> Can anybody suggest a way of doing this? Can the runas service be used
> to gain a new token or will it suffer the same problem? I have attempted
> to use it, but the results were unusual. It prompted me for a password
> and just drops me back to the shell without the opportunity to even
> enter one.
>
> On a similar note, can anyone who may have had this issue suggest any
> alternative way to run remote commands on a windows box from linux with
> some form of transparent authentication, or am I dreaming? :)

Well, if you only ever log in as one user, you can run sshd as that
particular user (maybe on a special port if you need a regular sshd daemon
as well).  That way, even if public key auth is used, the token will be
valid.  See the --user option to cygrunsrv.

If you need multiple users to log in, you can try to get runas to prompt
you for a password properly, but that may be tricky.  Try playing with the
"tty" value in the CYGWIN variable (see
<http://cygwin.com/cygwin-ug-net/using-cygwinenv.html>).
HTH,
	Igor

> [snip]
>
> -----Original Message-----
> From: cygwin-owner AT XXXXXX DOT XXX [mailto:cygwin-owner AT XXXXXX DOT XXX] On Behalf
Of Corinna Vinschen
> Sent: Wednesday, 4 May 2005 7:03 PM
> To: cygwin AT XXXXXX DOT XXX
> Subject: Re: SSHD key based authentication hangs cscript

Oh, and <http://cygwin.com/acronyms/#PCYMTNQREAIYR>.  Thanks.

> On May  4 11:15, Stuart Westbury wrote:
> > "There are actually two problems here: 1) a problem with CygWin/OpenSSH
> > (after  public  key  authentication  GetUserName()  returns  incorrect
> > value)..........."
> >
> > Is this my problem?
>
> No, that's our problem.  There's nothing we can do about it, I'm sorry.
> [snip]

-- 
				http://cs.nyu.edu/~pechtcha/
      |\      _,,,---,,_		pechtcha AT cs DOT nyu DOT edu
ZZZzz /,`.-'`'    -.  ;-;;,_		igor AT watson DOT ibm DOT com
     |,4-  ) )-,_. ,\ (  `'-'		Igor Pechtchanski, Ph.D.
    '---''(_/--'  `-'\_) fL	a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!

"The Sun will pass between the Earth and the Moon tonight for a total
Lunar eclipse..." -- WCBS Radio Newsbrief, Oct 27 2004, 12:01 pm EDT


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/