X-Recipient: archive-cygwin AT delorie DOT com X-SWARE-Spam-Status: No, hits=-0.8 required=5.0 tests=AWL,BAYES_00,J_CHICKENPOX_83 X-Spam-Check-By: sourceware.org Message-ID: <4A63E81B.7090403@tigroup-usa.com> Date: Sun, 19 Jul 2009 22:44:27 -0500 From: Doug Lim User-Agent: Thunderbird 2.0.0.22 (Windows/20090605) MIME-Version: 1.0 To: cygwin AT cygwin DOT com Subject: Re: OpenSSH - sftp not working for non-Administrator users References: <4A6388BB DOT 1050904 AT tigroup-usa DOT com> <4A63CD77 DOT 5090700 AT tigroup-usa DOT com> <20090720023742 DOT GC15540 AT ednor DOT casa DOT cgf DOT cx> <4A63E12B DOT 4020205 AT tigroup-usa DOT com> In-Reply-To: <4A63E12B.4020205@tigroup-usa.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-IsSubscribed: yes Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Doug Lim wrote: > Christopher Faylor wrote: >> On Sun, Jul 19, 2009 at 08:50:47PM -0500, Doug Lim wrote: >> >>> After a bit more research on the problem, I found a discussion >>> thread on the web discussing a similar problem from 2006. The >>> difference is that the thread discusses scp connections dropping >>> immediately after non-administrator authentication. >>> >>> http://winscp.net/forum/viewtopic.php?t=3782 >>> >>> A response to a thread from March of this year indicates that >>> copying all of the DLL files from cygwin\usr\bin to cygwin\usr\sbin >>> as a workaround. I've copied the DLL files on my server per the >>> workaround and now non-administrator users are able to use sftp. >>> >>> I've attached a copy of cygcheck.out from the server where this is >>> happening. >>> >> >> That sounds like a pretty workaround. >> >> Just setting the PATH to include cygwin's bin directory is likely to >> work better. I know that someone in that thread said that they did that >> already but I'm not convinced that they really knew what they were >> doing. >> >> cgf >> >> -- >> Problem reports: http://cygwin.com/problems.html >> FAQ: http://cygwin.com/faq/ >> Documentation: http://cygwin.com/docs.html >> Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple >> >> >> > > Except, cygwin\bin was already in the path as indicated in the > cygcheck.out I attached. It doesn't explain why users belonging to the > Local Administrators group would be able to maintain an SFTP > connection while non-Administrators would get dropped immediately > following authentication. > > I just reconfirmed. I left cygwin\bin in the path and took the DLLs > back out of cygwin\usr\sbin. Non-Administrator users are again dropped > immediately after authentication. > > Here's the sftp debug output with the DLLs removed from > cygwin\usr\sbin on the server > > dlim AT vorlon ~ $ sftp -v @ > Connecting to ... > OpenSSH_5.2p1, OpenSSL 0.9.8k 25 Mar 2009 > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: Connecting to [xx.xx.xx.xx] port 22. > debug1: Connection established. > debug1: identity file /home/dlim/.ssh/id_rsa type -1 > debug1: identity file /home/dlim/.ssh/id_dsa type -1 > debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1 > debug1: match: OpenSSH_5.1 pat OpenSSH* > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_5.2 > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug1: kex: server->client aes128-ctr hmac-md5 none > debug1: kex: client->server aes128-ctr hmac-md5 none > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY > debug1: Host '' is known and matches the RSA host key. > debug1: Found key in /home/dlim/.ssh/known_hosts:21 > debug1: ssh_rsa_verify: signature correct > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug1: SSH2_MSG_NEWKEYS received > debug1: SSH2_MSG_SERVICE_REQUEST sent > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug1: Authentications that can continue: > publickey,password,keyboard-interactive > debug1: Next authentication method: publickey > debug1: Trying private key: /home/dlim/.ssh/id_rsa > debug1: Trying private key: /home/dlim/.ssh/id_dsa > debug1: Next authentication method: keyboard-interactive > debug1: Authentications that can continue: > publickey,password,keyboard-interactive > debug1: Next authentication method: password > @'s password: > debug1: Authentication succeeded (password). > debug1: channel 0: new [client-session] > debug1: Requesting no-more-sessions AT openssh DOT com > debug1: Entering interactive session. > debug1: Sending subsystem: sftp > debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 > debug1: client_input_channel_req: channel 0 rtype eow AT openssh DOT com reply 0 > debug1: channel 0: free: client-session, nchannels 1 > debug1: fd 0 clearing O_NONBLOCK > Transferred: sent 1584, received 2104 bytes, in 1.6 seconds > Bytes per second: sent 991.7, received 1317.2 > debug1: Exit status 128 > Connection closed > > > -- > Problem reports: http://cygwin.com/problems.html > FAQ: http://cygwin.com/faq/ > Documentation: http://cygwin.com/docs.html > Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple > > More information about the problem. Having to copy all of the DLLs from cygwin\bin to cygwin\usr\sbin is overkill. I started removing DLL copies from cygwin\usr\sbin until non-admin users started getting dropped from sftp after authentication. I was able to remove all of the DLLs except cygwin1.dll. As soon as I removed cygwin1.dll from cygwin\usr\sbin non-admin users started getting dropped from sftp sessions immediately after authentication again. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple