X-Spam-Check-By: sourceware.org
Message-ID: <4465429D.8080708@cygwin.com>
Date: Fri, 12 May 2006 22:21:17 -0400
From: "Larry Hall (Cygwin)" <reply-to-list-only-lh AT cygwin DOT com>
Reply-To: cygwin AT cygwin DOT com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051223 Fedora/1.5-0.2.fc4.remi Thunderbird/1.5 Mnenhy/0.7.3.0
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: ssh to 2003 server exist immediately
References: <e3s32l$k60$1 AT sea DOT gmane DOT org> <4461FD21 DOT 3050606 AT cygwin DOT com> <e3t060$q2n$1 AT sea DOT gmane DOT org> <44622D6F DOT 2090303 AT cygwin DOT com> <e3u80a$vbr$1 AT sea DOT gmane DOT org>
In-Reply-To: <e3u80a$vbr$1@sea.gmane.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

Andrew DeFaria wrote:
> Larry Hall (Cygwin) wrote:
>> Andrew DeFaria wrote:
>>> Larry Hall (Cygwin) wrote:
>>>> Andrew DeFaria wrote:
>>>>> I'm trying to set up ssh access to a Windows 2003 server. I am 
>>>>> having a problem in that when I ssh to this server it immediately 
>>>>> exits and I find the following in /var/log/sshd.log:
>>>>>
>>>>>      5 [main] sshd 12912 C:\Cygwin\usr\sbin\sshd.exe: *** fatal 
>>>>> error - could not load ws2_32, Win32 error 0
>>>>>
>>>>> Forgive me I did do some research about setting up ssh on a 2003 
>>>>> server and I believe I've very close to having it set up correctly 
>>>>> but I'm still missing something. I created a local sshd_server user 
>>>>> and added things like "Act as part of the operating system", 
>>>>> "Replace process level token", etc. I did not see a setting for 
>>>>> "Increase quota". Note that I am using a local sshd_server users 
>>>>> (i.e. <machine>\sshd_server) as the logon for the sshd service. I 
>>>>> don't believe I'm using privilege separation.
>>>>>
>>>>> I had to use mmc and a Group Policy editor for the domain to add 
>>>>> this local user into the rights at the domain level before this 
>>>>> would work. Still when I try to ssh in I get a password prompt but 
>>>>> after that the above gets written into the sshd.log and the prompt 
>>>>> returns.
>>>>>
>>>>> Note that I also use this local sshd_server user for inetd so that 
>>>>> rsh can and does work. Insecure I know and I'd like to switch this 
>>>>> client over to using all ssh but I gotta get it working for them.
>>>>>
>>>>> Thanks in advance.
>>>> Why not use ssh-host-config to set up sshd?  It will create 
>>>> sshd_server for you in the proper way.
>>> I did! sshd_server would not have been my choice of a username had I 
>>> done this by hand (the user daemon comes to mind). However that was 
>>> not working. This is a domain environment so the sshd_server user 
>>> could be <domain>\sshd_server or <local machine>\sshd_server. I don't 
>>> think I have enough privilege to add a domain user so I made it a 
>>> local user.
>>>
>>> Plus I believe that domain policies did not allow me to modify the 
>>> user rights of this local user. (From memory) I believe I went into 
>>> mmc and added the Group Policy Editor snapin then attempted to add 
>>> the local sshd_server to the users that have say "Act as part of the 
>>> operating system" rights but the add button was grayed out. Last 
>>> night while trying again I noticed I could add Domain Group Policy 
>>> snapin and much to my surprise I was able to add the <local 
>>> server>\sshd_server user to the "Act as part of operating system" and 
>>> "replace process level token" lists. Again I didn't see an "Increase 
>>> quota". This got inetd and rsh working but ssh still produces an error.
>>>
>>> Actually, assuming I can create say a domain "daemon" user for use 
>>> with sshd and inetd, etc., would it be better to do this at the 
>>> domain level. I would like to allow others in the domain to set up 
>>> ssh or inetd with the rights to SU...
>> No tweaking of the permissions for sshd_server is necessary and it's 
>> not required to add sshd_server to any other users to get things to 
>> work. sshd_server is a local user created to run the service and 
>> nothing else. To login via 'ssh' with a domain user, just make sure 
>> the domain user is in your '/etc/passwd' file and your '/etc/group' 
>> file contains the proper
>> domain groups.  See 'man mkpasswd' and 'man mkgroup' if these users 
>> and groups are not already in these files.
> /etc/passwd and /etc/group are symlinks to a shared and up to date copy 
> of the output of mkpasswd/mkgroup. That's not the issue. As I understand 
> it, for sshd (or in.rlogind) to "switch user" it needs special 
> privileges. Indeed the documentation alludes to that. And until I added 
> those permissions to the sshd_server user ssh/rsh would not work at all. 


But if you ran /bin/ssh-host-config and told it to create sshd_server when
it asked you to, it will add these rights automatically.  There's no need
to do it yourself.  Just take a look at /bin/ssh-host-config.  The calls
to "editrights" in the section that handles the creation of the sshd_server
user/group specifically adds the privileges that are necessary to switch
the user context on W2K3.  If it failed to set these permission you should
have been warned.


> (rsh, started from inetd that is as inetd was also logging on as the 
> sshd_server user). Still, while rsh works, ssh refuses to work citing 
> the error message above in /var/log/sshd.log. IOW I can rsh <server> and 
> get in. I can also rsh <server> <command> and have <command> run on 
> <server> (provided /etc/passwd on <server> has a blank password for the 
> user). However I cannot ssh <server>. When I do so it prompts for the 
> password then abruptly logs out with the only clue left in 
> <server>:/var/log/sshd.log.


Well you can always run the client and the server in debug mode and track
each one's progress.  The server is always a little more helpful.  But if
you can't figure out anything else, I'd go back and retry running
/bin/ssh-host-config after deleting the sshd_server user/group.  Pay close
attention to what it says concerning sshd_server.


-- 
Larry Hall                              http://www.rfk.com
RFK Partners, Inc.                      (508) 893-9779 - RFK Office
838 Washington Street                   (508) 893-9889 - FAX
Holliston, MA 01746

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/