X-Recipient: archive-cygwin AT delorie DOT com
X-Spam-Check-By: sourceware.org
Message-ID: <4926046C.2020203@cygwin.com>
Date: Thu, 20 Nov 2008 19:44:28 -0500
From: "Larry Hall (Cygwin)" <reply-to-list-only-lh AT cygwin DOT com>
Reply-To: cygwin AT cygwin DOT com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.17) Gecko/20080925 Remi/2.0.0.17-1.fc8.remi Lightning/0.9 Thunderbird/2.0.0.17 Mnenhy/0.7.5.0
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: Run OpenSSH service with Local System Account
References: <b85eaed70811201537w76b76afbmab523c28c07182ab AT mail DOT gmail DOT com> 	 <4925F75A DOT 2090805 AT cygwin DOT com> <b85eaed70811201617w4277b4cbhf13cecda5e1d947f AT mail DOT gmail DOT com>
In-Reply-To: <b85eaed70811201617w4277b4cbhf13cecda5e1d947f@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

William Zhang wrote:
> Thank you Larry! Please see my comment below.
> 
> On Thu, Nov 20, 2008 at 3:48 PM, Larry Hall (Cygwin)
> <blah-blah-blah> wrote:
    ^^^^^^^^^^^^^^
<http://cygwin.com/acronyms/#PCYMTNQREAIYR>.  Thanks.
>> Why do you believe that you can set this Local System Account to interact
>> with the desktop but not cyg_server?
> 
> In the Windows Services property Log On page, we have two option for
> the service to run as:
> One is to use Local System Account.  When this option is selected, you
> have the "allow service to interact with desktop" enabled.
> The second option is to use an account you specified but "allow
> service to interact with desktop" option is disabled when it is
> selected.

Ah yes.  I've gotten so used to the '-i' or 'cygrunsrv', which
'ssh-host-config' uses to configure the 'sshd' service that I forgot that
the check box isn't there in the GUI for any other user.  Regardless,
you can add it to 'ssh-host-config' if you want. Of course, this ability
is disabled in Vista and Longhorn according to 'cygrunsrv' so I don't
think this will help for 2008 (and maybe 2003?)

>> By this you mean specifically what?  Perhaps you should provide the
>> output you get and/or you should run 'ssh -v -v -v' to get some insight
>> as to where it chokes.
> 
> When the ssh-host-config script ask if i want to create a cyg_server
> user, I answer no so it defaults to use the system local account.
> Below are the debug output and it failed at
> ssh_exchange_identification. I guess the cyg_server account is used to
> handle ssh_exchange_identification on windows 2003. 

cyg_server is the account used to start services, 'sshd' in this case.
It has no direct association to ssh_exchange_identificatton.

> Can I work around
> this with the local system account?

Authentication hasn't started yet so I doubt the account makes much
difference.  But I see nothing wrong with trying it.  My guess is
you're going to need to start a debug server session to get better
insight.  At least that's what I would do.

> $ ssh -v -v -v localhost
> OpenSSH_5.1p1, OpenSSL 0.9.8h 28 May 2008
> debug1: Reading configuration data /etc/ssh_config
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to localhost [127.0.0.1] port 22.
> debug1: Connection established.
> debug1: identity file /home/root/.ssh/identity type -1
> debug1: identity file /home/root/.ssh/id_rsa type -1
> debug1: identity file /home/root/.ssh/id_dsa type -1
> ssh_exchange_identification: Connection closed by remote host
> 
>> If you don't care about using pubkey authetication and are fine with
>> typing in your Windows password each time you invoke 'ssh', you should
>> be able to use the Local System Account.
> 
> I don't want any user interaction during the automation test. Can the
> password be provided automatically?

No.  That's why there's public key.

-- 
Larry Hall                              http://www.rfk.com
RFK Partners, Inc.                      (508) 893-9779 - RFK Office
216 Dalton Rd.                          (508) 893-9889 - FAX
Holliston, MA 01746

_____________________________________________________________________

A: Yes.
 > Q: Are you sure?
 >> A: Because it reverses the logical flow of conversation.
 >>> Q: Why is top posting annoying in email?

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/