This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Difficulty setting up domain SSH daemon under Domain Security Policies

From: "Hunter, Bryan" <Bryan_Hunter at archway dot com>
To: <cygwin at cygwin dot com>
Date: Tue, 20 Jul 2010 17:36:20 -0400
Subject: Difficulty setting up domain SSH daemon under Domain Security Policies

The SSHD service is successfully running under the local cyg_server
userid set up by ssh-host-config.  Pulbic key authentication is working.
It is running on a Windows 2003 Server with Domain Security Policies
being pushed down from the Domain server.  Using the windows GUI, access
to change the local security settings is greyed out.  After replication
or some time passing, the cyg_server settings disappear from the local
security settings.  If running, the sshd service continues to work.  If
there is a need to restart the service, then the following procedure
works:
 
1    Stop the service
2    Delete the service
3    Delete the cyg_server userid
4    Rerun ssh-host-config
5    Restart the service
 
I am trying to setup access to the entire domain, and to that end tried
creating a domain userid with various policies to run the service.  When
this userid propagates, it does not appear to propagate the "Create a
token object" policy.  When I run ssh-host-config and specify the new
userid, I get a message that the userid has insufficient permissions.
Indeed, it does not work.  I am not sure which way to look at this, but
can anyone provide some direction?  Here are some points as I see them.
 
1    The ssh-host-config program doesn't say what permissions are
inadequate.  Is there a specific list of what is needed?
2    Is there a way to force ssh-host-config to create the permissions?
It seems that it will only create permissions when creating a fresh new
setup.
3    If the local security policies are indeed being over written and
the create token object doesn't propagate, then it looks like some
additional process is needed to recreate the privileges?
 
Is there a different way of going about this?  Would it make any sense
to install SSH on the domain controller itself?
 
Any guidance in this matter would be appreciated.
 
Best Regards,
Bryan Hunter

Attachment: cygcheck.out
Description: cygcheck.out

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Follow-Ups:
- Re: Difficulty setting up domain SSH daemon under Domain Security Policies
  - From: Christoph Herdeg

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]