This is the mail archive of the cygwin@cygwin.com mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

SSHD, Cygwin and Windows 2003 : continued with user rights

From: Olivier ALLART <olivier dot allart at speeq dot com>
To: cygwin at cygwin dot com
Date: Wed, 17 Sep 2003 18:40:35 +0200
Subject: SSHD, Cygwin and Windows 2003 : continued with user rights

Following Mark J de Jong 's step by step howto (see end of mail for some add-ons), I can now effectively log in with pkey method (that is, no password) using the 'administrator' user name. 'whoami' returns 'administrator', however asking for a command such as IISRESET returns the error 'you are not a local administrator of this machine...', which means the rights management has failed somewhere.

What shall I do to be able tu run IISreset from ssh pkey under administrator ?

note : suing to 'administrator' returns 'wrong password' after correct pass input, and loging via sshd with the 'local system sshd' method acknowledges the administrator to execute IISRESET..

that's why I wonder if adding the 'create token' n co stuff to the user SYSTEM wouldn't help, but I feel this is not a right thing to do ...

Hello,
I've looked and couldn't find decent docs on this so for those of you
who are lookin', this is a quick howto on how to setup the
Cygwin/OpenSSH daemon on M$ Windows 2003. This will fix the passwordless
(ssh key) login issue.

1. Install Cygwin with the openssh binaries....


add the c:\cygwin\bin  to the path
add cygwin=ntsec tty environment variable


2. After completing the Cygwin setup, goto the cygwin command prompt and
type 'ssh-host-config'
3. Answer 'y' when asked if you want to sshd with privilege separation.
4. Answer 'y' when asked if user sshd should be created by the script.
5. Answer 'y' when asked if you want sshd to be created as a service.
6. Create a new windows user named "sshdproc" or whatever you wish the
sshd process account username to be. If you happen to notice the sshd
user being disabled, don't enable it!
7. Place the sshdproc user in the "Administrators" group.
8. Give the sshdproc user the following system rights:
    * Create a token object
    * Log on as a service
    * Replace a process level token

    And for security.....
    * Deny log on locally
    * Deny access to this computer from the network

9. Reconfigure the "CYGWIN sshd service" to run as the new "sshdproc"
user.
10. At the cygwin command prompt type 'mkpasswd -l |grep sshdproc >>
/etc/passwd <enter>'
11. Type 'touch /var/log/sshd.log <enter>'
12. Type 'chmod 644 /var/log/sshd.log <enter>'
11. Type 'chown sshdproc /var/empty /var/log/sshd.log /etc/ssh_*
<enter>'
12. Type 'cygrunsrv --start sshd <enter>'

also ssh-user-config

That should be it.. Hope this helps!

it helps, but not enough :)

Best,
Mark J. de Jong

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Follow-Ups:
- Re: SSHD, Cygwin and Windows 2003 : continued with user rights
  - From: Larry Hall

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]