X-Spam-Check-By: sourceware.org
To: cygwin AT cygwin DOT com
From: Brian Kasper <bkasper AT socal DOT rr DOT com>
Subject:  "/bin/bash: permission denied" on WinXP 2003 x64 solved (privilege  problem)
Date:  Mon, 13 Aug 2007 02:51:19 -0700
Lines: 56
Message-ID: <f9p9if$rqb$1@sea.gmane.org>
Mime-Version:  1.0
Content-Type:  text/plain; charset=ISO-8859-1
Content-Transfer-Encoding:  7bit
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

I've been having a hard time getting sshd to accept logins on a Windows
XP 2003 x64 box.  The problems ranged from the error mentioned in the
subject line ("/bin/bash: permission denied" appearing during logins) to
silent failures during password authentication, during which the ssh
connection would simply be closed by the instance of Cygwin sshd running
on my machine.

I was seeing errors in the system event log, but unfortunately I'm not
very experienced with Windows security, so I wasn't understanding what I
was seeing.  Corinna Vinschen gave me a pointer about the SeTcbPrivilege
error I was seeing (thanks, Corinna!) which led me to investigate the
privileges that were being given to the sshd_server user.

As it turns out, all my problems were caused by the fact that the
sshd_server user being created by the ssh-host-config script was not
being given all the required privileges.  I'm not sure why, but I found
an online description of the rights required by sshd_server and used the
"editrights" utility to grant them.  I then deleted my ~/.ssh directory
(definitively to erase the known_hosts file), restarted sshd, and
everything began to work perfectly.

Unfortunately, I neglected to record which privileges had been granted
to the sshd_server user on my system before I started granting
additional ones, but as far as I remember sshd_server only had 2 or so
of the 8 privileges granted.

In case the information helps anyone else, here is a list of the
privileges that the sshd_server user appears to need:

SeIncreaseQuotaPrivilege
SeTcbPrivilege
SeAssignPrimaryTokenPrivilege
SeCreateTokenPrivilege
SeServiceLogonRight
SeDenyInteractiveLogonRight
SeDenyNetworkLogonRight
SeDenyRemoteInteractiveLogonRight

To determine which privileges sshd_server has on your system, use this
command:

editrights -u sshd_server -l

And here are the commands necessary to grant the above privileges to
sshd_server:

editrights -a SeTcbPrivilege -u sshd_server
editrights -a SeAssignPrimaryTokenPrivilege -u sshd_server
editrights -a SeCreateTokenPrivilege -u sshd_server
editrights -a SeDenyInteractiveLogonRight -u sshd_server
editrights -a SeDenyNetworkLogonRight -u sshd_server
editrights -a SeDenyRemoteInteractiveLogonRight -u sshd_server
editrights -a SeIncreaseQuotaPrivilege -u sshd_server
editrights -a SeServiceLogonRight -u sshd_server

-B


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/