DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:to:from:subject:date:mime-version
	:content-type:content-transfer-encoding; q=dns; s=default; b=HLb
	dUyKQvd/Eps60DM+qsJCYawNQqObgljHImxHCBB8S6xdFZ/JHqQsAta7WuegFTXd
	AAJMr8zrUly5r7W3k/S4svK2g+kgVk9u8+lBfcCvtvexDeKJ0m89wLuOPdszt9oD
	zOXIU4xyzPp8eWtLdnGjmOd55GpKl4/dF9ClBcJI=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Message-ID: <BLU436-SMTP8C98370D51206FDE669BD9E790@phx.gbl>
To: cygwin AT cygwin DOT com
From: "Jarek C." <yaro_29 AT hotmail DOT com>
Subject: Problems with ssh connection
Date: Mon, 17 Aug 2015 21:39:11 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format=flowed
Content-Transfer-Encoding: 8bit

I have Cygwin installed on a couple of servers in a domain environment. 
Of all machines regular user accounts can ssh to only one box.
Once installed I configured Cygwin using the following in a .bat file.

c:\cygwin\bin\bash --login -c "chmod +r /etc/passwd"

c:\cygwin\bin\bash --login -c "chmod u+w /etc/passwd"

c:\cygwin\bin\bash --login -c "chmod +r /etc/group"

c:\cygwin\bin\bash --login -c "chmod u+w /etc/group"

c:\cygwin\bin\bash --login -c "chown -R domain_account /var/empty"

c:\cygwin\bin\bash --login -c "chmod 755 /var/empty"

c:\cygwin\bin\bash --login -c "chown domain_account /etc/ssh*"

c:\cygwin\bin\bash --login -c "chmod 755 /var/"

c:\cygwin\bin\bash --login -c "touch /var/log/sshd.log"

c:\cygwin\bin\bash --login -c "chown domain_account /var/log/sshd.log"

c:\cygwin\bin\bash --login -c "chmod 664 /var/log/sshd.log"

c:\cygwin\bin\bash --login -c "editrights -l -u domain_account"

c:\cygwin\bin\bash --login -c "editrights -a 
SeAssignPrimaryTokenPrivilege -u domain_account"

c:\cygwin\bin\bash --login -c "editrights -a SeCreateTokenPrivilege -u 
domain_account"

c:\cygwin\bin\bash --login -c "editrights -a SeTcbPrivilege -u 
domain_account"

c:\cygwin\bin\bash --login -c "editrights -a SeServiceLogonRight -u 
domain_account"

c:\cygwin\bin\bash --login -c "editrights -l -u domain_account"

c:\cygwin\bin\bash --login -c "/bin/ssh-host-config -y -c ntsec -u 
domain_account -w “password"

Somehow the permissions on the sshd_config file are diferent on the box 
where the sftp connection works

-rw-r--r-- 1 my_domain_account root 3679 Jul 24 12:44 /etc/sshd_config
where on all others I see
-rw-r--r-- 1 domain_account Administrators 3584 Jul 26 20:51 
/etc/sshd_config
where the domain_account is the account under which the Cygwin service 
is running.

When checking NTFS permissions I see in both cases the domain_account as 
the owner.
I read somewhere that I need to run chown root:system /etc/password to 
fix the permissions
but the account reports as invalid. Same if I try just root or just system.
Am I even close focusing on the permissions of sshd_config? No idea why 
they're different.
I think I used the same method on all servers but there were not 
installed at the same time so it's possible I messed something up. I 
don't want to break the working box keeping it as a reference. On others 
I noticed that a regular domain user can connect when their accounts get 
added to local admins which is what I would like to avoid.


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple