From: "Saxon, Will" <Will DOT Saxon AT sage DOT com>
To: "'cygwin AT cygwin DOT com'" <cygwin AT cygwin DOT com>
Date: Fri, 25 Jun 2010 22:33:28 -0400
Subject: Followup re: ssh error
Message-ID: <4CA9EFBC87EEBF4189426E215F5DB7A8EEA555EA@NAMAIL02.gs.adinternal.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com

Hello,

I just joined the list because I am having the same or similar problems tha=
t Andrew DeFaria reported on 6/2:

http://www.mail-archive.com/cygwin AT cygwin DOT com/msg109042.html

I've read some other posts in the archive that suggest this might be a 1.7.=
x specific issue, but I also found the following post from 2008, with cygwi=
n 1.5.25:

http://www.mail-archive.com/cygwin AT cygwin DOT com/msg89149.html

In my case, I've been able to work around this issue by running sshd as Loc=
alSystem and storing the user password in the LSA private registry area ('o=
ption 3' from http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overv=
iew). I was never able to get PKI working for all use cases using an nt ser=
vice running as a privileged user (local or domain). See below.=20

Some background of what I've tried:

After running ssh-host-config (letting it create a privileged user to run s=
shd), making a /etc/passwd entry for a domain user and copying public keys =
into its authorized_keys file, I was able to log in using public key auth, =
but ONLY if I used ssh for an interactive login. If I tried to ssh <command=
> or scp instead, I always got some form of the following error:

   4 [main] sshd 4404 C:\cygwin\usr\sbin\sshd.exe: *** fatal error - could =
not load user32, Win32 error 1114

This happened with any non-interactive login from Linux -> 2003, Linux -> 2=
003R2, Linux -> 2000, 2003 -> 2003R2 and 2000 -> 2003R2. All the windows ho=
sts are 32bit and are joined to a single domain. I believe this is the same=
 problem Andrew reported with his 'seacase' machine in his post on 6/2.

I tried making my user an administrator on the machine, using a local user =
to log in instead of a domain user, using a domain cyg_server privilege acc=
ount instead of a local one, etc. based on what I've seen suggested in the =
archives. In all cases, I get the above error when using pki for ssh <comma=
nd> or scp.=20

HOWEVER, when I started a cygwin shell as the cyg_server user and ran sshd =
in the foreground from the shell, I was able to ssh, ssh <command> and scp =
using pki without error, using both the domain and the local cyg_server acc=
ounts. So at least in my case with my testing I was only seeing the above e=
rror when running sshd as a service using these accounts.=20

As mentioned at the top of my mail, at this point I think I am going to run=
 sshd as LocalSystem and use cygserver/stored passwords for this project.=
=20

Questions:

1. Is there any reason why sshd run as a service via cygrunsrv as a privile=
ged user would behave any differently than sshd run in a shell as that same=
 user?

2. Based on the setuid overview it looks like running sshd as LocalSystem w=
ith cygserver and stored passwords should be identical to running sshd as a=
 privileged domain account for the purposes of both PKI and privilege separ=
ation. Is this correct?

3. In my case, the ssh users are all being used for automated processes and=
 do not have high privileges on the domain. Are there any big problems with=
 using cygserver and stored passwords vs. using a privileged domain account=
 in this situation? Stored passwords seem like a much safer option. Am I be=
ing naive here?=20

Thanks,

-Will

--
Will Saxon
Sage Software Healthcare
William DOT Saxon AT sage DOT com
www.sagehealth.com

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple