X-Recipient: archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status: No, hits=-2.6 required=5.0 	tests=BAYES_00
X-Spam-Check-By: sourceware.org
In-Reply-To: <16301_1264086092_4B586C4C_16301_305990_2_OF11708682.5FB599E5-ONC12576B2.0050FA30-C12576B2.00528821@nbg.sdv.spb.de>
References: <16301_1264086092_4B586C4C_16301_305990_2_OF11708682 DOT 5FB599E5-ONC12576B2 DOT 0050FA30-C12576B2 DOT 00528821 AT nbg DOT sdv DOT spb DOT de>
To: cygwin AT cygwin DOT com
MIME-Version: 1.0
Subject: Cygwin/OpenSSH V.5.3: Key authentication does not work under Windows 2008: Problem  is solved now!!!
X-KeepSent: 6D70C15D:A621C2E3-C12576B2:00585C7B;  type=4; name=$KeepSent
Message-ID: <4426_1264090236_4B587C7C_4426_313_1_OF6D70C15D.A621C2E3-ONC12576B2.00585C7B-C12576B2.0058DAC7@nbg.sdv.spb.de>
From: Carsten DOT Porzler AT spb DOT de
Date: Thu, 21 Jan 2010 17:10:32 +0100
X-SafeGuard_MailGateway: Version: 5.60.3.9976 SGMG Date: 20100121161036Z
Content-Type: text/plain; charset="US-ASCII"
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

Dear Cygwin Community,

my problem described is solved now. 

The change to Windows Server 2003 is the fact, that the OpenSSHd Server 
service must run under a user account, SYSTEM account is not enough!

The choosen user account must have the following privileges:

    Create a token object
    Logon as a service
    Replace a process level token
    Increase Quota 

It does not work, if you give SYSTEM account all the rights! These 
behaviour was described in the year 2007 in a "CopSSH" forum. 

No further investigation is needed.

Thanks and

best regards

Carsten Porzler



cygwin-owner AT cygwin DOT com schrieb am 21.01.2010 16:01:28:

> [Bild entfernt] 
> 
> Cygwin/OpenSSH V.5.3: Key authentication does not work under Windows 
2008...
> 
> Carsten.Porzler 
> 
> an:
> 
> cygwin
> 
> 21.01.2010 16:01
> 
> Gesendet von:
> 
> cygwin-owner AT cygwin DOT com
> 
> Dear Cygwin experts,
> 
> we installed Cygwin/OpenSSH V.5.3
> 
> CYGWIN_NT-6.1-WOW64 d00atq49 1.7.1(0.218/5/3) 2009-12-07 11:48 i686 
Cygwin
> OpenSSH_5.3p1, OpenSSL 0.9.8l 5 Nov 2009
> 
> on a Windows 2008 64-bit system.
> 
> Unfortunetly the key authentication does not work. The connection 
> initiation interrupts on server side with the following errors: seteuid 
> <user-id>: Permission denied
> 
> debug1: userauth-request for user testuser01 service ssh-connection 
method 
> none
> debug1: attempt 0 failures 0
> debug3: Trying to reverse map address 10.2.240.11.
> debug2: parse_server_config: config reprocess config len 229
> debug2: input_userauth_request: setting up authctxt for testuser01
> debug2: input_userauth_request: try method none
> Failed none for testuser01 from 10.2.240.11 port 2467 ssh2
> debug3: Wrote 80 bytes for a total of 1549
> debug1: userauth-request for user testuser01 service ssh-connection 
method 
> publickey
> debug1: attempt 1 failures 0
> debug2: input_userauth_request: try method publickey
> debug1: test whether pkalg/pkblob are acceptable
> debug1: temporarily_use_uid: 1011/513 (e=18/544)
> seteuid 1011: Permission denied
> debug1: do_cleanup
> 
> The password authentication with the same user on the same server works 
> fine.
> 
> The OpenSSHd service is running under system account. The file 
> cyglsa64.dll is loaded from the registry key 
> "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages".
> 
> The public key file is owned by the user "testuser01", to which I want 
to 
> switch to, and is readable for group and all others.
> 
> The OpenSSHd service is running without Privilege Separation (we also 
> tried this in meantime, but fails, too). It's the same configuration as 
we 
> have used since years on our Windows Server 2003 systems (32-bit).
> 
> What can be the reason(s) for this behaviour?
> 
> Thanks for help in advance and
> 
> best regards
> 
> Carsten Porzler
> 
> 
> --
> Problem reports:       http://cygwin.com/problems.html
> FAQ:                   http://cygwin.com/faq/
> Documentation:         http://cygwin.com/docs.html
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
> 


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple