X-Spam-Check-By: sourceware.org
From: "Manel Rodero" <manel AT fib DOT upc DOT edu>
To: <cygwin AT cygwin DOT com>
Subject: Wich privileges required by ssh-host-config running user?
Date: Wed, 18 Jan 2006 15:34:08 +0100
Message-ID: <005201c61c3c$3df63940$043a5393@fib.upc.es>
MIME-Version: 1.0
Content-Type: text/plain; 	charset="us-ascii"
X-Scaned-FIB: AntiVirus/AntiSpam en fib.upc.es
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by delorie.com id k0IEYSYh019515

Hello,

I've been deploying SSH to a lot of Windows Servers (2000 & 2003)
successfully. I've created an unnatended installation of cygwin and some
scripts to run ssh-host-config and create the correct authorized_keys file
in the local user we need to use public key authentication.

But, I have 4 servers where the script ssh-host-config fails because it
can't chown /etc/ssh* files to SYSTEM. See this output:

---- snip ----

$ ssh-host-config -y -c "binmode tty ntsec" -w "SKkO5i37TUQXoBBtt24EZwMN6s"
Generating /etc/ssh_host_key
Generating /etc/ssh_host_rsa_key
Generating /etc/ssh_host_dsa_key
Generating /etc/ssh_config file
Privilege separation is set to yes by default since OpenSSH 3.3.
However, this requires a non-privileged account called 'sshd'.
For more info on privilege separation read
/usr/share/doc/openssh/README.privsep
.

Should privilege separation be used? (yes/no) yes
Warning: The following function requires administrator privileges!
Should this script create a local user 'sshd' on this machine? (yes/no) yes
Generating /etc/sshd_config file


Warning: The following functions require administrator privileges!

Do you want to install sshd as service?
(Say "no" if it's already installed as service) (yes/no) yes

The service has been installed under LocalSystem account.
To start the service, call `net start sshd' or `cygrunsrv -S sshd'.
chown: changing ownership of `/etc/ssh_config': Permission denied
chown: changing ownership of `/etc/ssh_host_dsa_key': Permission denied
chown: changing ownership of `/etc/ssh_host_dsa_key.pub': Permission denied
chown: changing ownership of `/etc/ssh_host_key': Permission denied
chown: changing ownership of `/etc/ssh_host_key.pub': Permission denied
chown: changing ownership of `/etc/ssh_host_rsa_key': Permission denied
chown: changing ownership of `/etc/ssh_host_rsa_key.pub': Permission denied
chown: changing ownership of `/etc/sshd_config': Permission denied
chown: changing ownership of `/var/empty': Permission denied

Host configuration finished. Have fun! 

---- snip ----

The files have these permissions:

Administrator AT server ~
$ ls -l /etc/ssh*
-rwxr-xr-x  1 Administrator None 1292 Jan 18 13:44 /etc/ssh_config
-rw-------  1 Administrator None 1192 Jan 18 13:44 /etc/ssh_host_dsa_key
-rw-r--r--  1 Administrator None 1121 Jan 18 13:44 /etc/ssh_host_dsa_key.pub
-rw-------  1 Administrator None  982 Jan 18 13:43 /etc/ssh_host_key
-rw-r--r--  1 Administrator None  646 Jan 18 13:43 /etc/ssh_host_key.pub
-rw-------  1 Administrator None 1675 Jan 18 13:43 /etc/ssh_host_rsa_key
-rw-r--r--  1 Administrator None  401 Jan 18 13:43 /etc/ssh_host_rsa_key.pub
-rw-r--r--  1 Administrator None 2830 Jan 18 13:44 /etc/sshd_config

Administrator AT server ~
$ ls -l /var
total 0
drwxrwxrwx+ 3 Administrator Users 0 Jan 18 13:39 cache
drwxr-xr-x+ 2 Administrator None  0 Jan 18 13:43 empty
drwxrwxrwx+ 3 Administrator Users 0 Jan 18 13:39 lib
drwxrwxrwx+ 2 Administrator Users 0 Jan 18 13:43 log
drwxrwxrwx+ 2 Administrator Users 0 Jan 18 13:39 run
drwxrwxrwx+ 2 Administrator Users 0 Jan 18 13:39 tmp

In all servers I'm using the "Administrator" account. The only difference
between these 4 servers is that 2 of them are Domain Controllers and the
other 2 are members of this domain. In the servers where the ssh-host-config
script works perfectly all of them are standalone servers.

So the question is: Why the Administrator can't change/chown the owner of
the /etc/ssh* files to SYSTEM?

Thank you very much!

--

o o o  Manel Rodero                   | LCFIB - UPC
o o o  Helpdesk Manager               | Campus Nord - Modul B6
o o o  Laboratori de Calcul           | Jordi Girona, 1-3
U P C  Facultat Informatica Barcelona | 08034 Barcelona (Spain)
                                      |
       manel AT fib DOT upc DOT edu              | Tel: +00 34 93 401 6940
       http://www.fib.upc.edu/~manel  | Fax: +00 34 93 401 7040


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/