X-Recipient: archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status: No, hits=4.4 required=5.0	tests=AWL,BAYES_40,BOTNET,RCVD_IN_DNSWL_NONE
X-Spam-Check-By: sourceware.org
Message-id: <4E9DE4B7.9050303@cygwin.com>
Date: Tue, 18 Oct 2011 16:42:31 -0400
From: "Larry Hall (Cygwin)" <reply-to-list-only-lh AT cygwin DOT com>
Reply-to: cygwin AT cygwin DOT com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
MIME-version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: Invoking GUI programs over SSH
References: <4E98C90C DOT 4050308 AT ai DOT sri DOT com>
In-reply-to: <4E98C90C.4050308@ai.sri.com>
Content-type: text/plain; charset=ISO-8859-1; format=flowed
Content-transfer-encoding: 7bit
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On 10/14/2011 7:43 PM, Quang Ong wrote:
> I found this previous discussion about this issue, but it doesn't appear to
> work or maybe someone can elaborate on this issue.
> http://cygwin.com/ml/cygwin/2011-01/msg00211.html
>
> I'm trying to do the same thing, launch a GUI app over SSH on the "server",
> not sending the display back to the ssh client.
>
> I originally had openssh 5.8 and recently updated to 5.9. SSH to the windows
> machine works fine for the most part, except for the fact when I try to
> launch our build tool, which pops up a GUI, it doesn't work anymore. We have
> a much older XP machine running Cygwin 1.5 which works, but this new machine
> is running Win7 64-bit w/ Cygwin 1.7 openssh 5.9.
>
> The quick test is to ssh into the cygwin machine and run notepad. Like the
> previous poster, I can see the process running, but nothing on the
> "console". I tried the recommended step of adding Interactive Logon rights
> using the editrights tool, but I didn't see how the poster was able to use
> the Services GUI to add "Allow service to interact with desktop" for a
> "regular user". Only the LOCAL SERVICE user has that option in the GUI.
> 1) Is the "editrights -a SeInteractiveLogonRight -u ssh-admin " command the
> same as checking the "Allow service to interact with desktop"?
> 2) The poster also didn't seem to indicate which version of openssh. I found
> another discussion that mentioned that this capability worked with openssh 5.1:
> http://lists.mindrot.org/pipermail/openssh-unix-dev/2011-April/029490.html
>
> Is this capability no longer possible/suported?

MS has changed it support for this functionality.  They feel this is a
security hole (and it is not completely improper to view it this way)
so they've changed how this works.  In its current incarnation, it's
much harder to get this to work the way it used to.  There's an entire
KB article that someday I'm going to look up and bookmark so that I
have it available when these kinds of inquiries come up on the list. ;-)
So if you really want to dive into the guts of the new implementation
with all its new restrictions, I'd recommend looking for that KB article.
Given the current support for this feature from MS, I think it's fair to
say that making this work the way it used to for the limited cases where
it may still be useful, even if it's possible, isn't a priority for Cygwin
right now.  I'd summarize the state of affairs this way - if you're looking
for a simple recipe that will make this magically work the way that it
used to, you're not going to find it here.  If that's not entirely
discouraging for you, then I'd say take a look around at what's in the
mail archives and the details of how MS says this can work now.  If you're
willing to accept the new restrictions and if you're a bit savvy, you
may find a way to make your situation work for you.  If so, we'd be
interested in hearing what you found. :-)

As for your first question, editrights != "Allow service to interact with
the desktop".  cygrunsrv's -i flag would be the closest matching control
in the Cygwin world, with the same caveats as I mentioned above.


-- 
Larry

_____________________________________________________________________

A: Yes.
 > Q: Are you sure?
 >> A: Because it reverses the logical flow of conversation.
 >>> Q: Why is top posting annoying in email?

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple