X-Spam-Check-By: sourceware.org
Message-ID: <43BB3E4A.AEBE650B@dessent.net>
Date: Tue, 03 Jan 2006 19:17:30 -0800
From: Brian Dessent <brian AT dessent DOT net>
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: Using sshd on Windows 2000 with public keys
References: <A272EB3E7DECD641A6A8854D6137872522CCFD AT diopside DOT andmore DOT com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-IsSubscribed: yes
Reply-To: cygwin AT cygwin DOT com
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

"McCann, Brian" wrote:

> Hi all.  I've been fighting this for some time now, and I can't find a
> solid fix to make this work.  I'm running Cygwin under Windows 2000, and
> I'm trying to setup ssh using key authentication.  The auth part works
> fine, but when I try to run commands that require rights inside Windows,
> it fails (like iisreset).

This is covered in the FAQ somewhere I think.

Windows requires the user's password in order to do true user context
switching.  So when you log on using public key auth, Cygwin can only
partially impersonate the user account.  Things such as protected
network shares will not work.  There's no way around this short of using
password authentication, because it's a fundamental windows requirement
that the token contain the password.

> I've discovered that I need to have sshd run
> as another user, like Administrator or something, so I did that by
> changing who the service runs as and setting file permissions and
> ownerships accordingly, and that fixed the problem for the Administrator
> account. But, when another user tries to login, it disconnects right
> away.  In the event log, I see "setreuid 1014: Permission denied.".
> I've found the fix for Windows 2003, which involves granting the user
> the service runs as the "Change a process-level token" permission, but
> that does not exist under Windows 2000.  I can't find a fix for this for
> 2000.  Is there such a thing?  Does anyone have any ideas that could
> help me out?

You should be able to use editrights to assign the necessary
privileges.  Read /usr/share/doc/Cygwin/*openssh* and the contents of
/usr/bin/ssh-host-config.

Brian


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/