Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com To: cygwin AT cygwin DOT com From: Theo Kanter Subject: Cygwin setup of sshd for non-administrators documentation? Date: Mon, 31 Oct 2005 09:41:51 +0100 Lines: 89 Message-ID: <4365D8CF.9080400@verkstad.net> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-IsSubscribed: yes The following message contains my findings regarding a working setup of Cygwin of sshd for non-administrators -- a topic I would like to see addressed in the official documentation, since no other source was found (at least via Google) with conclusive information on the subject: INTRODUCTION Two often cited pages with guides for setting up sshd on Win32: http://pigtail.net/LRP/printsrv/cygwin-sshd.html http://ncyoung.com/entry/389 mention it to be necessary to make every user who wishes to gain access via ssh/sftp a member of the Administrators group (!). I did not find this subject covered in the Cygwin documentation, but it seems urgent that this *is* covered by the documentation. Making all users who access a W2K or WXP system member of the Administrators group poses a security risk. ANALYSIS Users gain access to the Cygwin system via ssh/sftp as themselves with the rights that were assigned to them in Win32 and in NTFS. Therefore any problems that may occur are a result of either insufficient permissions to access a file or folder or a result of not being the owner of a folder that belongs to them. After reinstalling cygwin several times and trial & error with changing file and folder permissions and ownership I indeed found it that users who are not member of the Administrators group can gain access via ssh/sftp. However, this requires tweaking of the permissions and ownership from a cygwin shell: SOLUTION 1) user X must have a /home/X folder which they are owner of and with rwx permissions for themselves. $ ls -l /home total 0 drwx------+ 3 Administrator None 0 Oct 30 18:35 Administrator drwx------+ 2 X None 0 Oct 30 18:40 X 2) users must have access to the passwd, group, profile and profile.d file and folders in /etc. In fact I ended up giving full access rights to users to all files and folders in /etc except the ssh* key and config files $ ls -l etc total 204 ... -rwxrwxr-x+ 1 Administrator Users 14 Oct 28 18:41 ftpusers -rwxrwxr-x+ 1 Administrator Users 49 Oct 28 18:41 ftpwelcome ... -rwxrwx---+ 1 Administrator Users 1692 Oct 29 18:39 group -rwxrwx---+ 1 Administrator Users 1385 Oct 29 18:38 passwd ... -rwxrwx---+ 1 Administrator Users 6530 Oct 28 18:41 profile drwxrwx---+ 2 Administrator Users 0 Oct 28 18:39 profile.d ... 3) Users need full access rights to execute the .exe files in /bin, /usr/bin and /usr/sbin (it seems to me now that chmod 770 would have been sufficient): $ ls -l /usr/sbin/ total 897 ... -rwxrwxrwx+ 1 Administrator Users 46592 Apr 19 2005 in.ftpd.exe ... -rwxrwxrwx+ 1 Administrator Users 29184 Jul 5 23:30 sftp-server.exe -rwxrwxrwx+ 1 Administrator Users 130048 Jul 5 23:30 ssh-keysign.exe -rwxrwxrwx+ 1 Administrator Users 267776 Jul 5 23:30 sshd.exe POST SCRIPTUM Please review the information under 1-3 and if this is useful I would welcome the maintainers of cygwin to include something along these lines in the documentation. Hopefully this saves some time for others who apparently were looking for the same. with best regards Theo -- Ericsson Research, Service Layer Technologies KI/EAB/TGB,SE-164 80 Kista, Sweden -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/