This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

sshd: testing whether login was via public key or password?


Hi,

Short version:  "schtasks /change" fails because I used SSH public key
auth.  I'd like to add error checking to script I run, so that it exits
if the user doesn't have the right session token (password), and "fix"
SSH public key login so I get the right privileges.  How best to do that?

I've read the following but not sure I understand it enough to pick the
"best" method:
https://cygwin.com/cygwin-ug-net/ntsec.html

The full issue:

I'm attempting to remotely change passwords for some Windows scheduled
tasks.  After logging in (via SSH public key) I could change the
passwords for tasks for different (non-admin) accounts, but not my own
admin account.

# After logging in with SSH pub key:
$ id -G | grep -qE '\<(544|0)\>' && echo admin || echo user
admin
$ whoami
Administrator
$ schtasks /query /TN "\backup_web_users" /v /fo list | grep 'Run As'
Run As User:                          Administrator
$ schtasks /change /RP newpassword /TN "\backup_web_users"
ERROR: Logon failure: unknown user name or bad password.
### Note:   if one tries to do above cmd repeatedly, you might lock
###      your account after too many login attempts

# But for a regular user account, it worked OK:
$ schtasks /query /TN "\Cleanup Old" /v /fo list | grep 'Run As'
Run As User:                          HOSTNAME\nonadminuser
$ schtasks /change /RP newpassword /TN "\Cleanup Old"
SUCCESS: The parameters of scheduled task "\Cleanup Old" have been changed.


I figured out the above "Logon failure" was due to logging in via SSH
public key, reference:
https://cygwin.com/ml/cygwin/2004-09/msg00087.html

As noted in the reference above, if I login via SSH using my password, I
can successfully change the scheduled task password for Administrator
tasks.  Similarly, it works if I save my password using "passwd -R".

We would like to continue to require public key auth because it is more
secure (our public keys are from smartcards, so it's effectively
two-factor authentication).

I've already confirmed that storing the passwd with "passwd -R" works.
I have not tried using cyglsa-config -- would that help?  My
understanding is that local access would work but access to network
resources would not.  I would think scheduled tasks are local so it
should work but did not want to modify my system yet without some
feedback from cygwin experts :)

Also, is there another way I might obtain the proper privs/session
token, WITHOUT storing the password permanently?  I noticed that running
"passwd -R" doesn't help with the CURRENT ssh session; i.e. I would have
to logout and login again.

Finally, the obvious way of checking if the proper privileges are
present is simply trying the "schtasks" command and seeing if it fails
by checking the exit status.  I'm just wondering (for academic reasons)
if there's a better way.  Perhaps there is some "view my current session
token" command?

If it matters:
$ uname -a
CYGWIN_NT-6.1-WOW nissan 2.2.1(0.289/5/3) 2015-08-20 11:40 i686 Cygwin

The OS is Server 2008 R2 64-bit.


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]