X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:subject:to:references:from:message-id:date
	:mime-version:in-reply-to:content-type
	:content-transfer-encoding; q=dns; s=default; b=o7Mo9L3wdRCE7XPk
	HES7mpDRtu5MZV2R7GP+IWbIcT6OxdpfJb7NTDJ2pG+Qjp9w60PMTsd6x7fFek+j
	GWSu2Xp9uaPI6ozF0QSgJi4uXib9j48WC8VRG2Bqksk75rJJietHuobzUAmd2DMA
	aysCjDaZhRIJy0VEbDmY1UddHLg=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:subject:to:references:from:message-id:date
	:mime-version:in-reply-to:content-type
	:content-transfer-encoding; s=default; bh=+f9h+x6AWb53FjbYDFBI6j
	P+AWo=; b=MP6QxZKcvUxqlALn8gBEcEWmFJxaJX2OgN0yKWBScX9uS06W91Ar+c
	EIk1HA9mnXwzmkzf9SX/8/Wr09kOudIY15lzfmwULtkJprAzlDr/Xr//DeB37Sn9
	q2S5HY9/QQDPE/14C3WFKrHB6TDnCirenmtkEdAvux/tHqLBM0p5g=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-1.0 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_NONE,SPF_HELO_PASS autolearn=ham version=3.3.1 spammy=practices, password, risk, HContent-Transfer-Encoding:8bit
X-HELO: mout.perfora.net
Subject: Re: seteuid problem with sshd
To: cygwin AT cygwin DOT com
References: <68371e6b-aee9-4e70-d079-098160f7bf61 AT halcomp DOT com> <1231848485 DOT 20190314025011 AT yandex DOT ru> <032d1268-15e7-f10d-bdd7-45effb6b6a2b AT halcomp DOT com> <20190314094745 DOT GD3785 AT calimero DOT vinschen DOT de>
From: Bruce Halco <bruce AT halcomp DOT com>
Message-ID: <8162640b-6613-af68-af7d-4ec23009edc8@halcomp.com>
Date: Thu, 14 Mar 2019 06:45:34 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1
MIME-Version: 1.0
In-Reply-To: <20190314094745.GD3785@calimero.vinschen.de>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit



On 3/14/19 5:47 AM, Corinna Vinschen wrote:
> On Mar 13 22:20, Bruce Halco wrote:
>> I had found nothing referencing "No such file or directory", which sounds
>> rather different from a permissions problem.
>>
>> Running sshd under the Local System account made no difference.
>>
>> passwd -R was no help.
>>
>> What I did discover was that cygwin/sshd apparently now requires the Windows
>> account to be Enabled.  That was not the case previously.
>>
>> The target systems in my application are in restaurant offices, and only use
>> a single Windows login.
>>
>> As the people who use ssh do not need local Windows accounts, I've always
>> used the practice of Disabling those user accounts in Windows. The
>> credentials were available to ssh, without the security issues of all those
>> extra active accounts.
>>
>> Unless someone can suggest an alternative, I'll have to leave all those
>> accounts Enabled. I can put some long, nasty passwords on them to keep the
>> risk acceptable.
> I'm sorry to say that, but there is no alternative.  This has been
> discussed at great length on thlis mailing list, starting at
>
> https://cygwin.com/ml/cygwin/2019-01/msg00197.html
>
> For starters, I added a special check to disable logging in with a
> disabled account.  However, the S4U logon method used by Cygwin now in
> place of the old "Create user token from scratch" method(*) even checks
> that automatically and does not allow disabled accounts to logon.
>
> Same goes for the `passwd -R' method as well as for normal password logon
> since they have been introduced, btw, given they use the same underlying
> WIndows function which actively checks for disabled accounts.
>
> Last but not least, the fact that some logon methods allowed disabled
> accounts to logon and some didn't wasn't really a good idea to begin
> with.
>
>
> Corinna
>
> (*) https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd1
>
Thank you for the information.

I will adjust my practices to the new situation.

Bruce


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple