X-Spam-Check-By: sourceware.org
To: cygwin AT cygwin DOT com
From: Andrew DeFaria <Andrew AT DeFaria DOT com>
Subject:  Re: ssh to 2003 server exist immediately
Date:  Wed, 10 May 2006 19:36:57 -0700
Lines: 78
Message-ID: <e3u80a$vbr$1@sea.gmane.org>
References:  <e3s32l$k60$1 AT sea DOT gmane DOT org> <4461FD21 DOT 3050606 AT cygwin DOT com> <e3t060$q2n$1 AT sea DOT gmane DOT org> <44622D6F DOT 2090303 AT cygwin DOT com>
Mime-Version:  1.0
Content-Type:  text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding:  7bit
User-Agent: Thunderbird 1.5.0.2 (Windows/20060308)
In-Reply-To: <44622D6F.2090303@cygwin.com>
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

Larry Hall (Cygwin) wrote:
> Andrew DeFaria wrote:
>> Larry Hall (Cygwin) wrote:
>>> Andrew DeFaria wrote:
>>>> I'm trying to set up ssh access to a Windows 2003 server. I am 
>>>> having a problem in that when I ssh to this server it immediately 
>>>> exits and I find the following in /var/log/sshd.log:
>>>>
>>>>      5 [main] sshd 12912 C:\Cygwin\usr\sbin\sshd.exe: *** fatal 
>>>> error - could not load ws2_32, Win32 error 0
>>>>
>>>> Forgive me I did do some research about setting up ssh on a 2003 
>>>> server and I believe I've very close to having it set up correctly 
>>>> but I'm still missing something. I created a local sshd_server user 
>>>> and added things like "Act as part of the operating system", 
>>>> "Replace process level token", etc. I did not see a setting for 
>>>> "Increase quota". Note that I am using a local sshd_server users 
>>>> (i.e. <machine>\sshd_server) as the logon for the sshd service. I 
>>>> don't believe I'm using privilege separation.
>>>>
>>>> I had to use mmc and a Group Policy editor for the domain to add 
>>>> this local user into the rights at the domain level before this 
>>>> would work. Still when I try to ssh in I get a password prompt but 
>>>> after that the above gets written into the sshd.log and the prompt 
>>>> returns.
>>>>
>>>> Note that I also use this local sshd_server user for inetd so that 
>>>> rsh can and does work. Insecure I know and I'd like to switch this 
>>>> client over to using all ssh but I gotta get it working for them.
>>>>
>>>> Thanks in advance.
>>> Why not use ssh-host-config to set up sshd?  It will create 
>>> sshd_server for you in the proper way.
>> I did! sshd_server would not have been my choice of a username had I 
>> done this by hand (the user daemon comes to mind). However that was 
>> not working. This is a domain environment so the sshd_server user 
>> could be <domain>\sshd_server or <local machine>\sshd_server. I don't 
>> think I have enough privilege to add a domain user so I made it a 
>> local user.
>>
>> Plus I believe that domain policies did not allow me to modify the 
>> user rights of this local user. (From memory) I believe I went into 
>> mmc and added the Group Policy Editor snapin then attempted to add 
>> the local sshd_server to the users that have say "Act as part of the 
>> operating system" rights but the add button was grayed out. Last 
>> night while trying again I noticed I could add Domain Group Policy 
>> snapin and much to my surprise I was able to add the <local 
>> server>\sshd_server user to the "Act as part of operating system" and 
>> "replace process level token" lists. Again I didn't see an "Increase 
>> quota". This got inetd and rsh working but ssh still produces an error.
>>
>> Actually, assuming I can create say a domain "daemon" user for use 
>> with sshd and inetd, etc., would it be better to do this at the 
>> domain level. I would like to allow others in the domain to set up 
>> ssh or inetd with the rights to SU...
> No tweaking of the permissions for sshd_server is necessary and it's 
> not required to add sshd_server to any other users to get things to 
> work. sshd_server is a local user created to run the service and 
> nothing else. To login via 'ssh' with a domain user, just make sure 
> the domain user is in your '/etc/passwd' file and your '/etc/group' 
> file contains the proper
> domain groups.  See 'man mkpasswd' and 'man mkgroup' if these users 
> and groups are not already in these files.
/etc/passwd and /etc/group are symlinks to a shared and up to date copy 
of the output of mkpasswd/mkgroup. That's not the issue. As I understand 
it, for sshd (or in.rlogind) to "switch user" it needs special 
privileges. Indeed the documentation alludes to that. And until I added 
those permissions to the sshd_server user ssh/rsh would not work at all. 
(rsh, started from inetd that is as inetd was also logging on as the 
sshd_server user). Still, while rsh works, ssh refuses to work citing 
the error message above in /var/log/sshd.log. IOW I can rsh <server> and 
get in. I can also rsh <server> <command> and have <command> run on 
<server> (provided /etc/passwd on <server> has a blank password for the 
user). However I cannot ssh <server>. When I do so it prompts for the 
password then abruptly logs out with the only clue left in 
<server>:/var/log/sshd.log.
-- 
A shark is the only fish that can blink with both eyes.


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/