X-Recipient: archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status: No, hits=2.2 required=5.0	tests=AWL,BAYES_50,T_RP_MATCHES_RCVD
X-Spam-Check-By: sourceware.org
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: Difficulty setting up domain SSH daemon under Domain Security Policies
Date: Thu, 22 Jul 2010 17:28:38 -0400
Message-ID: <7C5E3B536F261B47A73B1F1F70F2683F0B1B734E@DETEX01.trade.archway.com>
In-Reply-To: <OF29E120F4.529C2492-ONC1257767.0028C238-C1257767.00297F88@de.ibm.com>
References: <7C5E3B536F261B47A73B1F1F70F2683F0B1B733F AT DETEX01 DOT trade DOT archway DOT com> <OF29E120F4 DOT 529C2492-ONC1257767 DOT 0028C238-C1257767 DOT 00297F88 AT de DOT ibm DOT com>
From: "Hunter, Bryan" <Bryan_Hunter AT archway DOT com>
To: <cygwin AT cygwin DOT com>
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

Thank you Chris for your reply.

>From:       "Hunter, Bryan"


>The SSHD service is successfully running under the local cyg_server
>userid set up by ssh-host-config.  Pulbic key authentication is
working.
>It is running on a Windows 2003 Server with Domain Security Policies
>being pushed down from the Domain server.  Using the windows GUI,
access
>to change the local security settings is greyed out.  After replication
>or some time passing, the cyg_server settings disappear from the local
>security settings.  If running, the sshd service continues to work.  If
>there is a need to restart the service, then the following procedure
>works:

>1    Stop the service
>2    Delete the service
>3    Delete the cyg_server userid
Both Local user and /etc/passwd
>4    Rerun ssh-host-config
>5    Restart the service

>I am trying to setup access to the entire domain, and to that end tried
>creating a domain userid with various policies to run the service.
When
>this userid propagates, it does not appear to propagate the "Create a
>token object" policy.  When I run ssh-host-config and specify the new
>userid, I get a message that the userid has insufficient permissions.
>Indeed, it does not work.  I am not sure which way to look at this, but
>can anyone provide some direction?  Here are some points as I see them.

>1    The ssh-host-config program doesn't say what permissions are
>inadequate.  Is there a specific list of what is needed?
>2    Is there a way to force ssh-host-config to create the permissions?
>It seems that it will only create permissions when creating a fresh new
>setup.
>3    If the local security policies are indeed being over written and
>the create token object doesn't propagate, then it looks like some
>additional process is needed to recreate the privileges?

>Is there a different way of going about this?  Would it make any sense
>to install SSH on the domain controller itself?

>Any guidance in this matter would be appreciated.

>Best Regards,
>Bryan Hunter
>>From: Christoph Herdeg=20
>>Hi Bryan,

>>The local security policy is overwritten in all aspects that are
confugured
>>in the Default Domain Policy or any other GPOs that are used against
the
>>same Active Directory objects (Forrests, Sites, Domains, OUs).

>>You need to create the cyg_server account within Active Directory
Users &
>>Computers and setup Default Domain Policy to push the correct
permissions
>>to that user. You may need to put the account to a security group
having
>>administrative permissions on the local Domain Member machines.

I am not sure what you mean by pushing the permissions to the user.  The
user has been given the following policies on the domain controller.
These were seen for a while on the file server except for Create a token
object which was never seen.  The user is also an administrator on the
local machine.

	Create a token object
	Log on as a service
	Replace a process level token

>>You need to setup /etc/passwd and /etc/groups on the local Domain
Member
>>machines to include the users and groups from your Domain (mkpasswd
and
>>mkgroup used with the according parameters).

>>You need to call ssh-host-config, e.g. like that: "ssh-host-config -y
-c
>>"tty ntsec" -u "Domain\cyg_server" --privideged".

Here are the results.
administrator AT detfs01 ~
$ ssh-host-config -y -c "tty ntsec" -u "TRADE\sshd_server_domain"
--privileged
*** Query: Overwrite existing /etc/ssh_config file? (yes/no) yes
*** Info: Creating default /etc/ssh_config file
*** Query: Overwrite existing /etc/sshd_config file? (yes/no) yes
*** Info: Creating default /etc/sshd_config file
*** Info: Privilege separation is set to yes by default since OpenSSH
3.3.
*** Info: However, this requires a non-privileged account called 'sshd'.
*** Info: For more info on privilege separation read
/usr/share/doc/openssh/README.privsep.
*** Query: Should privilege separation be used? (yes/no) yes
*** Info: Updating /etc/sshd_config file


*** Warning: The following functions require administrator privileges!

*** Query: Do you want to install sshd as a service?
*** Query: (Say "no" if it is already installed as a service) (yes/no)
yes
*** Query: Enter the value of CYGWIN for the daemon: [tty ntsec] tty
ntsec
*** Info: On Windows Server 2003, Windows Vista, and above, the
*** Info: SYSTEM account cannot setuid to other users -- a capability
*** Info: sshd requires.  You need to have or to create a privileged
*** Info: account.  This script will help you do so.

*** Info: You appear to be running Windows 2003 Server or later.  On
2003
*** Info: and later systems, it's not possible to use the LocalSystem
*** Info: account for services that can change the user id without an
*** Info: explicit password (such as passwordless logins [e.g. public
key
*** Info: authentication] via sshd).

*** Info: If you want to enable that functionality, it's required to
create
*** Info: a new account with special privileges (unless a similar
account
*** Info: already exists). This account is then used to run these
special
*** Info: servers.

*** Info: Note that creating a new user requires that the current
account
*** Info: have Administrator privileges itself.

*** Info: This script plans to use 'TRADE\sshd_server_domain'.
*** Info: 'TRADE\sshd_server_domain' will only be used by registered
services.
*** Query: Create new privileged user account
'TRADE\sshd_server_domain'? (yes/no) yes
*** Info: Please enter a password for new user TRADE\sshd_server_domain.
Please be sure
*** Info: that this password matches the password rules given on your
system.
*** Info: Entering no password will exit the configuration.
*** Query: Please enter the password:
*** Query: Reenter:

*** Warning: Creating the user 'TRADE\sshd_server_domain' failed!
Reason:
The syntax of this command is:


NET USER
[username [password | *] [options]] [/DOMAIN]
         username {password | *} /ADD [options] [/DOMAIN]
         username [/DELETE] [/DOMAIN]


*** Info: Please enter a password for new user TRADE\sshd_server_domain.
Please be sure
*** Info: that this password matches the password rules given on your
system.
*** Info: Entering no password will exit the configuration.
*** Query: Please enter the password:
*** Query: Please enter the password:
*** Query: Please enter the password:
*** Query: Please enter the password:
*** Query: Please enter the password:

There are at least 2 issues here: 1) the syntax failure, and 2) the
program fails to exit when entering no password.

>>SSHD should work that way...

>>Best Regards, Chris



I looked into the ssh-host-config program which is a Red Hat bash script
and found the unusual arrangement whereby it runs differently when used
interactively.  Specifically, if specifying all yes or no answers, the
script sets a force mode option apparently used by the CSIH routines
which is not available when running interactively.  Therefore I tried
the following command to see if it would rebuild the
permissions/policies for the local user cyg_server once they had been
wiped out by the domain policies.

ssh-host-config -y -c "tty ntsec" -u "cyg_server" --privileged

Unfortunately, it still did not rebuild a working environment - public
key access fails.


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple