X-Spam-Check-By: sourceware.org
Message-ID: <44622D6F.2090303@cygwin.com>
Date: Wed, 10 May 2006 14:14:07 -0400
From: "Larry Hall (Cygwin)" <reply-to-list-only-lh AT cygwin DOT com>
Reply-To: cygwin AT cygwin DOT com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051223 Fedora/1.5-0.2.fc4.remi Thunderbird/1.5 Mnenhy/0.7.3.0
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: ssh to 2003 server exist immediately
References: <e3s32l$k60$1 AT sea DOT gmane DOT org> <4461FD21 DOT 3050606 AT cygwin DOT com> <e3t060$q2n$1 AT sea DOT gmane DOT org>
In-Reply-To: <e3t060$q2n$1@sea.gmane.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

Andrew DeFaria wrote:
> Larry Hall (Cygwin) wrote:
>> Andrew DeFaria wrote:
>>> I'm trying to set up ssh access to a Windows 2003 server. I am having 
>>> a problem in that when I ssh to this server it immediately exits and 
>>> I find the following in /var/log/sshd.log:
>>>
>>>      5 [main] sshd 12912 C:\Cygwin\usr\sbin\sshd.exe: *** fatal error 
>>> - could not load ws2_32, Win32 error 0
>>>
>>> Forgive me I did do some research about setting up ssh on a 2003 
>>> server and I believe I've very close to having it set up correctly 
>>> but I'm still missing something. I created a local sshd_server user 
>>> and added things like "Act as part of the operating system", "Replace 
>>> process level token", etc. I did not see a setting for "Increase 
>>> quota". Note that I am using a local sshd_server users (i.e. 
>>> <machine>\sshd_server) as the logon for the sshd service. I don't 
>>> believe I'm using privilege separation.
>>>
>>> I had to use mmc and a Group Policy editor for the domain to add this 
>>> local user into the rights at the domain level before this would 
>>> work. Still when I try to ssh in I get a password prompt but after 
>>> that the above gets written into the sshd.log and the prompt returns.
>>>
>>> Note that I also use this local sshd_server user for inetd so that 
>>> rsh can and does work. Insecure I know and I'd like to switch this 
>>> client over to using all ssh but I gotta get it working for them.
>>>
>>> Thanks in advance.
>> Why not use ssh-host-config to set up sshd?  It will create 
>> sshd_server for you in the proper way.
> I did! sshd_server would not have been my choice of a username had I 
> done this by hand (the user daemon comes to mind). However that was not 
> working. This is a domain environment so the sshd_server user could be 
> <domain>\sshd_server or <local machine>\sshd_server. I don't think I 
> have enough privilege to add a domain user so I made it a local user.
> 
> Plus I believe that domain policies did not allow me to modify the user 
> rights of this local user. (From memory) I believe I went into mmc and 
> added the Group Policy Editor snapin then attempted to add the local 
> sshd_server to the users that have say "Act as part of the operating 
> system" rights but the add button was grayed out. Last night while 
> trying again I noticed I could add Domain Group Policy snapin and much 
> to my surprise I was able to add the <local server>\sshd_server user to 
> the "Act as part of operating system" and "replace process level token" 
> lists. Again I didn't see an "Increase quota". This got inetd and rsh 
> working but ssh still produces an error.
> 
> Actually, assuming I can create say a domain "daemon" user for use with 
> sshd and inetd, etc., would it be better to do this at the domain level. 
> I would like to allow others in the domain to set up ssh or inetd with 
> the rights to SU...

No tweaking of the permissions for sshd_server is necessary and it's not
required to add sshd_server to any other users to get things to work.
sshd_server is a local user created to run the service and nothing else.
To login via 'ssh' with a domain user, just make sure the domain user is
in your '/etc/passwd' file and your '/etc/group' file contains the proper
domain groups.  See 'man mkpasswd' and 'man mkgroup' if these users and
groups are not already in these files.


-- 
Larry Hall                              http://www.rfk.com
RFK Partners, Inc.                      (508) 893-9779 - RFK Office
838 Washington Street                   (508) 893-9889 - FAX
Holliston, MA 01746

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/