X-Spam-Check-By: sourceware.org
Date: Mon, 13 Aug 2007 13:29:30 +0200
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: "/bin/bash: permission denied" on WinXP 2003 x64 solved (privilege  problem)
Message-ID: <20070813112930.GB17084@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <f9p9if$rqb$1 AT sea DOT gmane DOT org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <f9p9if$rqb$1@sea.gmane.org>
User-Agent: Mutt/1.4.2.2i
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On Aug 13 02:51, Brian Kasper wrote:
> I've been having a hard time getting sshd to accept logins on a Windows
> XP 2003 x64 box.  The problems ranged from the error mentioned in the
> subject line ("/bin/bash: permission denied" appearing during logins) to
> silent failures during password authentication, during which the ssh
> connection would simply be closed by the instance of Cygwin sshd running
> on my machine.
> 
> I was seeing errors in the system event log, but unfortunately I'm not
> very experienced with Windows security, so I wasn't understanding what I
> was seeing.

When you set up a server it makes a lot of sense trying to understand
Windows security.  Besides of books, I would suggest to have a look
into the MSDN library.  For instance, a description of the privileges
is given here: http://msdn2.microsoft.com/en-us/library/bb530716.aspx

> As it turns out, all my problems were caused by the fact that the
> sshd_server user being created by the ssh-host-config script was not
> being given all the required privileges.

This is weird.  The ssh-host-config script usually makes sure that
the sshd_server user got all required privileges.  See the script
at line 517ff.

> I'm not sure why, but I found
> an online description of the rights required by sshd_server and used the
> "editrights" utility to grant them.

You really wouldn't have needed an online description.  The script
contains all of them ;)

> In case the information helps anyone else, here is a list of the
> privileges that the sshd_server user appears to need:
> 
> SeIncreaseQuotaPrivilege
> SeTcbPrivilege
> SeAssignPrimaryTokenPrivilege
> SeCreateTokenPrivilege
> SeServiceLogonRight
> SeDenyInteractiveLogonRight
> SeDenyNetworkLogonRight
> SeDenyRemoteInteractiveLogonRight
> 
> To determine which privileges sshd_server has on your system, use this
> command:
> 
> editrights -u sshd_server -l
> 
> And here are the commands necessary to grant the above privileges to
> sshd_server:
> [...]

As I said, see /bin/ssh-host-config, lines 517ff.  The Deny-"rights" are
obviously not necessary.  They are just used to secure the account
against malusage.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/