OpenSSH and RSA authentication problems

OpenSSH and RSA authentication problems

[David J. Wilson]

Hi,

I have a fresh install of Cygwin with all the latest packages.  OpenSSH
2.9.9p2 is among them.  It is setup to run as a service.

Password authentication for any user works fine.  RSA, too, works fine
provided I am running it _as the user I want to login with_.  Otherwise
the server simply rejects the key I give it.  Is this normal?

I have StrictModes set to 'no' temporarily in my sshd_config.  It isn't
helping...

Later tonight I'm going to try and run it under my own account and then
login as someone else to see the debugging output.  For now I know that
it doesn't work for anyone at all when it's running as a service (which
I believe runs as the system account), and that it works fine if I run 
it with my account and login with the same.

Has anyone else encountered this?

David


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: OpenSSH and RSA authentication problems

[David J. Wilson]

Following up...

The two accounts I am dealing with are 'Administrator' and 'vlastyn'.  My
test involved running the server as vlastyn, and setting up identical configs
for each user (i.e. running ssh-user-config as each user and answering yes
to each question).

When trying to login as vlastyn, it works as described.  Here is what the
debugging output of the server shows:

debug1: ssh_rsa_verify: signature correct
Accepted publickey for vlastyn from 127.0.0.1 port 3503 ssh2
debug1: Entering interactive session for SSH2.

Attempting to login with Administrator, however, doesn't work:

debug1: ssh_dss_verify: signature correct
Failed publickey for Administrator from 127.0.0.1 port 4453 ssh2

Naturally this makes sense, because my vlastyn account probably doesn't have
the right privileges to switch user context.  The point is that I can't use
RSA with *either* account when it's running as SYSTEM, which obviously is 
able to switch context or else password authentication wouldn't work.  So,
does anyone have any idea what's happening?

David

On Wed, Oct 03, 2001 at 10:36:53AM -0400, David J. Wilson wrote:
> 
> Later tonight I'm going to try and run it under my own account and then
> login as someone else to see the debugging output.  For now I know that
> it doesn't work for anyone at all when it's running as a service (which
> I believe runs as the system account), and that it works fine if I run 
> it with my account and login with the same.
> 

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: OpenSSH and RSA authentication problems

[Peter Buckley]

David-

Have you checked http://tech.erdelynet.com- 
Mike Erdely knows a *little* about ssh and cygwin, 
and he has an SSH mailing list as well. 

HTH,
Peter

"David J. Wilson" wrote:
> 
> Following up...
> 
> The two accounts I am dealing with are 'Administrator' and 'vlastyn'.  My
> test involved running the server as vlastyn, and setting up identical configs
> for each user (i.e. running ssh-user-config as each user and answering yes
> to each question).
> 
> When trying to login as vlastyn, it works as described.  Here is what the
> debugging output of the server shows:
> 
> debug1: ssh_rsa_verify: signature correct
> Accepted publickey for vlastyn from 127.0.0.1 port 3503 ssh2
> debug1: Entering interactive session for SSH2.
> 
> Attempting to login with Administrator, however, doesn't work:
> 
> debug1: ssh_dss_verify: signature correct
> Failed publickey for Administrator from 127.0.0.1 port 4453 ssh2
> 
> Naturally this makes sense, because my vlastyn account probably doesn't have
> the right privileges to switch user context.  The point is that I can't use
> RSA with *either* account when it's running as SYSTEM, which obviously is
> able to switch context or else password authentication wouldn't work.  So,
> does anyone have any idea what's happening?
> 
> David
> 
> On Wed, Oct 03, 2001 at 10:36:53AM -0400, David J. Wilson wrote:
> >
> > Later tonight I'm going to try and run it under my own account and then
> > login as someone else to see the debugging output.  For now I know that
> > it doesn't work for anyone at all when it's running as a service (which
> > I believe runs as the system account), and that it works fine if I run
> > it with my account and login with the same.
> >
> 
> --
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
> Bug reporting:         http://cygwin.com/bugs.html
> Documentation:         http://cygwin.com/docs.html
> FAQ:                   http://cygwin.com/faq/

-- 
Your mouse has moved.
Windows NT must be restarted for the change to take effect.
Reboot now?  [OK]

--

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: OpenSSH and RSA authentication problems

[David J. Wilson]

On Thu, Oct 04, 2001 at 12:53:22PM -0400, Peter Buckley wrote:
> David-
> 
> Have you checked http://tech.erdelynet.com- 
> Mike Erdely knows a *little* about ssh and cygwin, 
> and he has an SSH mailing list as well. 

I followed the instructions on his site with no luck.  One thing I noticed--
part of it said to change permissions and ownership (chown and chmod).  Is
this supposed to have any noticable effect ?

Take this for instance:
[vlastyn@sundown:~] touch example_file
[vlastyn@sundown:~] ls -la example_file
   0 -rw-r--r--    1 vlastyn  None            0 Oct  4 22:24 example_file
[vlastyn@sundown:~] chown system.system example_file
[vlastyn@sundown:~] chmod 777 example_file
[vlastyn@sundown:~] ls -la example_file
   0 -rw-r--r--    1 vlastyn  None            0 Oct  4 22:24 example_file
[vlastyn@sundown:~]

I am of course running NTFS and with an up-to-date /etc/passwd and 
/etc/group.  I looked at the permissions with the GUI and they didn't
show any change either.  

Dave


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: OpenSSH and RSA authentication problems

[Daniel Steinmann]

David J. Wilson wrote:
> On Thu, Oct 04, 2001 at 12:53:22PM -0400, Peter Buckley wrote:
> > David-
> > 
> > Have you checked http://tech.erdelynet.com- 
> > Mike Erdely knows a *little* about ssh and cygwin, 
> > and he has an SSH mailing list as well. 
> 
> I followed the instructions on his site with no luck.  One thing I noticed--
> part of it said to change permissions and ownership (chown and chmod).  Is
> this supposed to have any noticable effect ?
> 
> Take this for instance:
> [vlastyn@sundown:~] touch example_file
> [vlastyn@sundown:~] ls -la example_file
>    0 -rw-r--r--    1 vlastyn  None            0 Oct  4 22:24 example_file
> [vlastyn@sundown:~] chown system.system example_file
> [vlastyn@sundown:~] chmod 777 example_file
> [vlastyn@sundown:~] ls -la example_file
>    0 -rw-r--r--    1 vlastyn  None            0 Oct  4 22:24 example_file
> [vlastyn@sundown:~]
> 
> I am of course running NTFS and with an up-to-date /etc/passwd and 
> /etc/group.  I looked at the permissions with the GUI and they didn't
> show any change either.  

Did you set CYGWIN=ntsec in your environment?

Daniel.

-- 
Daniel Steinmann, Insonic AG, Zuerich, Switzerland
daniel.steinmann@insonic.com, +41 1 456 50 00, fax: +41 1 456 50 01

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

chmod/chown + ntsec doesn't work (was OpenSSH and RSA authentication problems)

[Peter Buckley]

I saw one other post that said that you should 
make sure CYGWIN is set to "ntsec" but that doesn't 
necessarily mean that chmod or chown is going to work. 

I tried your example from a bash shell on my system, 
with CYGWIN=binmode tty ntsec. Of course, chmod didn't 
work right. You can see from the following output that 
chmod worked in some cases, and chown definitely 
didn't work. I checked the FAQ, the archives, and the 
documentation, but there seem to only be suggestions 
to "set CYGWIN=ntsec" and "you can't use chmod on 95/98". 

This seems like the root of your SSH problem Dave, I just
wish I knew why chmod didn't work. 

/home/pbuckley $ touch example_file
/home/pbuckley $ ls -la example_file
-rw-rw-rw-    1 pbuckley Domain U        0 Oct  5 08:47 example_file
/home/pbuckley $ chown system.system example_file
chown: changing ownership of `example_file': Permission denied
/home/pbuckley $ chmod 777 example_file
chmod: changing permissions of `example_file': Permission denied
/home/pbuckley $ chmod +x example_file
/home/pbuckley $ ls -la example_file
-rwxrwxrwx    1 pbuckley Domain U        0 Oct  5 08:48 example_file
/home/pbuckley $ chmod 777 example_file
/home/pbuckley $ ls -la example_file
-rwxrwxrwx    1 pbuckley Domain U        0 Oct  5 08:48 example_file
/home/pbuckley $ chown system.system example_file
chown: changing ownership of `example_file': Permission denied
/home/pbuckley $ chown SYSTEM.SYSTEM example_file
chown: changing ownership of `example_file': Permission denied
/home/pbuckley $ chmod 600 example_file
chmod: changing permissions of `example_file': Permission denied
/home/pbuckley $ ls -la example_file
-rwxrwxrwx    1 pbuckley Domain U        0 Oct  5 08:48 example_file
/home/pbuckley $ chmod --version
chmod (fileutils) 4.1
Written by David MacKenzie.

Copyright (C) 2001 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is
NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE.
/home/pbuckley $ /cygdrive/c/cygwin/bin/chmod 600 example_file
/cygdrive/c/cygwin/bin/chmod: changing permissions of `example_file':
Permission denied

TIA,
Peter

"David J. Wilson" wrote:
> 
> On Thu, Oct 04, 2001 at 12:53:22PM -0400, Peter Buckley wrote:
> > David-
> >
> > Have you checked http://tech.erdelynet.com-
> > Mike Erdely knows a *little* about ssh and cygwin,
> > and he has an SSH mailing list as well.
> 
> I followed the instructions on his site with no luck.  One thing I noticed--
> part of it said to change permissions and ownership (chown and chmod).  Is
> this supposed to have any noticable effect ?
> 
> Take this for instance:
> [vlastyn@sundown:~] touch example_file
> [vlastyn@sundown:~] ls -la example_file
>    0 -rw-r--r--    1 vlastyn  None            0 Oct  4 22:24 example_file
> [vlastyn@sundown:~] chown system.system example_file
> [vlastyn@sundown:~] chmod 777 example_file
> [vlastyn@sundown:~] ls -la example_file
>    0 -rw-r--r--    1 vlastyn  None            0 Oct  4 22:24 example_file
> [vlastyn@sundown:~]
> 
> I am of course running NTFS and with an up-to-date /etc/passwd and
> /etc/group.  I looked at the permissions with the GUI and they didn't
> show any change either.
> 
> Dave

-- 
Your mouse has moved.
Windows NT must be restarted for the change to take effect.
Reboot now?  [OK]

--

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: chmod/chown + ntsec doesn't work (was OpenSSH and RSA authentication problems)

[egor duda]

Hi!

Friday, 05 October, 2001 Peter Buckley peter.buckley@cportcorp.com wrote:

PB> I saw one other post that said that you should 
PB> make sure CYGWIN is set to "ntsec" but that doesn't 
PB> necessarily mean that chmod or chown is going to work. 

PB> I tried your example from a bash shell on my system, 
PB> with CYGWIN=binmode tty ntsec. Of course, chmod didn't 
PB> work right. You can see from the following output that 
PB> chmod worked in some cases, and chown definitely 
PB> didn't work. I checked the FAQ, the archives, and the 
PB> documentation, but there seem to only be suggestions 
PB> to "set CYGWIN=ntsec" and "you can't use chmod on 95/98". 

PB> This seems like the root of your SSH problem Dave, I just
PB> wish I knew why chmod didn't work.

chmod shouldn't work as you suppose it have to. try the same commands
on any unix. you'll get the same diagnostics.

PB> /home/pbuckley $ touch example_file
PB> /home/pbuckley $ ls -la example_file
PB> -rw-rw-rw-    1 pbuckley Domain U        0 Oct  5 08:47 example_file
PB> /home/pbuckley $ chown system.system example_file
PB> chown: changing ownership of `example_file': Permission denied

ordinary user can't change object ownership. this is the way the POSIX
works.

Egor.            mailto:deo@logos-m.ru ICQ 5165414 FidoNet 2:5020/496.19


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: chmod/chown + ntsec doesn't work (was OpenSSH and RSA authentication problems)

[Peter Buckley]

Ummm.... Egor, what are you talking about? 
Have you tried the same commands on "any 
flavor of unix"? 

Chmod DOES work as I suppose it to. I tried 
the same commands, on SunOs 5.7, and they worked 
just fine. No errors, and I got the expected results. 

/home/pbuckley $touch example_file
/home/pbuckley $ls -la example_file
-rw-r--r--   1 pbuckley ccase          0 Oct  5 09:57 example_file
/home/pbuckley $chmod 777 example_file 
/home/pbuckley $ls -la example_file
-rwxrwxrwx   1 pbuckley ccase          0 Oct  5 09:57 example_file

And about chown- I am an administrator on my NT machine. And 
I have changed ownership before, when I was setting 
up SSH according to Mike Erdely's instructions. 

It is just now that I am trying this example that chown 
doesn't work- and I have done an upgrade (last month?)
to cygwin 1.3.3 *after* I knew chown was working when 
I setup SSH and chown-ed files to system.system. 

So my question is still unanswered- why doesn't 
chmod/chown + ntsec work anymore?

TIA,
Peter


egor duda wrote:
> 
> Hi!
> 
> Friday, 05 October, 2001 Peter Buckley peter.buckley@cportcorp.com wrote:
> 
> PB> I saw one other post that said that you should
> PB> make sure CYGWIN is set to "ntsec" but that doesn't
> PB> necessarily mean that chmod or chown is going to work.
> 
> PB> I tried your example from a bash shell on my system,
> PB> with CYGWIN=binmode tty ntsec. Of course, chmod didn't
> PB> work right. You can see from the following output that
> PB> chmod worked in some cases, and chown definitely
> PB> didn't work. I checked the FAQ, the archives, and the
> PB> documentation, but there seem to only be suggestions
> PB> to "set CYGWIN=ntsec" and "you can't use chmod on 95/98".
> 
> PB> This seems like the root of your SSH problem Dave, I just
> PB> wish I knew why chmod didn't work.
> 
> chmod shouldn't work as you suppose it have to. try the same commands
> on any unix. you'll get the same diagnostics.
> 
> PB> /home/pbuckley $ touch example_file
> PB> /home/pbuckley $ ls -la example_file
> PB> -rw-rw-rw-    1 pbuckley Domain U        0 Oct  5 08:47 example_file
> PB> /home/pbuckley $ chown system.system example_file
> PB> chown: changing ownership of `example_file': Permission denied
> 
> ordinary user can't change object ownership. this is the way the POSIX
> works.
> 
> Egor.            mailto:deo@logos-m.ru ICQ 5165414 FidoNet 2:5020/496.19
> 
> --
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
> Bug reporting:         http://cygwin.com/bugs.html
> Documentation:         http://cygwin.com/docs.html
> FAQ:                   http://cygwin.com/faq/

-- 
Your mouse has moved.
Windows NT must be restarted for the change to take effect.
Reboot now?  [OK]

--

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: OpenSSH and RSA authentication problems

[John Peacock]

Daniel Steinmann wrote:
> 
> 
> Did you set CYGWIN=ntsec in your environment?
> 

I have been having much better luck with CYGWIN="ntea ntsec" than with
"ntsec" alone.  I also noticed that things worked better when I went
through and reinstalled the software in question AFTER I set the CYGWIN
environment variable.

However, and this may be an issue, my NT user is a Domain Administrator
equivalent...

YMMV

John

-- 
John Peacock
Director of Information Research and Technology
Rowman & Littlefield Publishing Group
4720 Boston Way
Lanham, MD 20706
301-459-3366 x.5010
fax 301-429-5747

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: chmod/chown + ntsec doesn't work (was OpenSSH and RSA authentication problems)

[Peter Buckley]

Okay, welcome to the twilight zone. All of a sudden, 
chmod started working. Now I can't reproduce the 
problem anymore. I haven't changed anything tricky, 
like opening additional applications on my machine 
or anything. But, chown still doesn't work. And 
we can still say that chmod doesn't work intermittently, 
although I hope it never stops working again 
randomly. 

There is a fifth dimension beyond that which is
known to man...
-Peter

Peter Buckley wrote:
> 
> Ummm.... Egor, what are you talking about?
> Have you tried the same commands on "any
> flavor of unix"?
> 
> Chmod DOES work as I suppose it to. I tried
> the same commands, on SunOs 5.7, and they worked
> just fine. No errors, and I got the expected results.
> 
> /home/pbuckley $touch example_file
> /home/pbuckley $ls -la example_file
> -rw-r--r--   1 pbuckley ccase          0 Oct  5 09:57 example_file
> /home/pbuckley $chmod 777 example_file
> /home/pbuckley $ls -la example_file
> -rwxrwxrwx   1 pbuckley ccase          0 Oct  5 09:57 example_file
> 
> And about chown- I am an administrator on my NT machine. And
> I have changed ownership before, when I was setting
> up SSH according to Mike Erdely's instructions.
> 
> It is just now that I am trying this example that chown
> doesn't work- and I have done an upgrade (last month?)
> to cygwin 1.3.3 *after* I knew chown was working when
> I setup SSH and chown-ed files to system.system.
> 
> So my question is still unanswered- why doesn't
> chmod/chown + ntsec work anymore?
> 
> TIA,
> Peter
> 
> egor duda wrote:
> >
> > Hi!
> >
> > Friday, 05 October, 2001 Peter Buckley peter.buckley@cportcorp.com wrote:
> >
> > PB> I saw one other post that said that you should
> > PB> make sure CYGWIN is set to "ntsec" but that doesn't
> > PB> necessarily mean that chmod or chown is going to work.
> >
> > PB> I tried your example from a bash shell on my system,
> > PB> with CYGWIN=binmode tty ntsec. Of course, chmod didn't
> > PB> work right. You can see from the following output that
> > PB> chmod worked in some cases, and chown definitely
> > PB> didn't work. I checked the FAQ, the archives, and the
> > PB> documentation, but there seem to only be suggestions
> > PB> to "set CYGWIN=ntsec" and "you can't use chmod on 95/98".
> >
> > PB> This seems like the root of your SSH problem Dave, I just
> > PB> wish I knew why chmod didn't work.
> >
> > chmod shouldn't work as you suppose it have to. try the same commands
> > on any unix. you'll get the same diagnostics.
> >
> > PB> /home/pbuckley $ touch example_file
> > PB> /home/pbuckley $ ls -la example_file
> > PB> -rw-rw-rw-    1 pbuckley Domain U        0 Oct  5 08:47 example_file
> > PB> /home/pbuckley $ chown system.system example_file
> > PB> chown: changing ownership of `example_file': Permission denied
> >
> > ordinary user can't change object ownership. this is the way the POSIX
> > works.
> >
> > Egor.            mailto:deo@logos-m.ru ICQ 5165414 FidoNet 2:5020/496.19
> >
> > --
> > Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
> > Bug reporting:         http://cygwin.com/bugs.html
> > Documentation:         http://cygwin.com/docs.html
> > FAQ:                   http://cygwin.com/faq/
> 
> --
> Your mouse has moved.
> Windows NT must be restarted for the change to take effect.
> Reboot now?  [OK]
> 
> --
> 
> --
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
> Bug reporting:         http://cygwin.com/bugs.html
> Documentation:         http://cygwin.com/docs.html
> FAQ:                   http://cygwin.com/faq/

-- 
Your mouse has moved.
Windows NT must be restarted for the change to take effect.
Reboot now?  [OK]

--

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: chmod/chown + ntsec doesn't work (was OpenSSH and RSA authentication problems)

[David J. Wilson]

On Fri, Oct 05, 2001 at 05:37:58PM +0400, egor duda wrote:
> ordinary user can't change object ownership. this is the way the POSIX
> works.

True, but my account is set to Administrator...
aynway, setting to to ntsec was definitely something I'd overlooked.  It 
was not, however the problem.

The problem was that the system account had no access to my home directory.
It's just something that never occurred to me.  I suppose I had automatically
assumed that the system account would be able to read any file it wanted.
I knew better of course, just didn't think of it...

So, now it works fine, and now I'm able to use CVS securely without having
to enter a password every time. 

Thanks everyone who responded

Dave


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: chmod/chown + ntsec doesn't work (was OpenSSH and RSA authentication problems)

[David J. Wilson]

On Fri, Oct 05, 2001 at 10:40:10AM -0400, Peter Buckley wrote:
> Okay, welcome to the twilight zone. All of a sudden, 
> chmod started working. Now I can't reproduce the 
> problem anymore. I haven't changed anything tricky, 
> like opening additional applications on my machine 
> or anything. But, chown still doesn't work. And 
> we can still say that chmod doesn't work intermittently, 
> although I hope it never stops working again 
> randomly. 

Mine actually seems to work now:
[vlastyn@sundown:~] touch example_file
[vlastyn@sundown:~] ls -la example_file
   0 -rw-r--r--    1 vlastyn  None            0 Oct  5 10:49 example_file
[vlastyn@sundown:~] chown system.system example_file
[vlastyn@sundown:~] ls -la example_file
   0 -rw-r--r--    1 SYSTEM   SYSTEM          0 Oct  5 10:47 example_file
[vlastyn@sundown:~] chmod 777 example_file
[vlastyn@sundown:~] ls -al example_file
   0 -rwxrwxrwx    1 SYSTEM   SYSTEM          0 Oct  5 10:47 example_file*
[vlastyn@sundown:~] chmod 000 example_file
[vlastyn@sundown:~] ls -la example_file
   0 ----------    1 SYSTEM   SYSTEM          0 Oct  5 10:47 example_file
[vlastyn@sundown:~] rm example_file
rm: remove write-protected file `example_file'? y
[vlastyn@sundown:~]

I wonder why it isn't working for you?  I set CYGWIN=ntsec in my shell
and as an environment variable in Windows 2000.  Had to reboot for the
latter to take effect...

Dave

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: chmod/chown + ntsec doesn't work (was OpenSSH and RSA authentication problems)

[Jason Tishler]

Peter,

On Fri, Oct 05, 2001 at 10:40:10AM -0400, Peter Buckley wrote:
> But, chown still doesn't work.

I just stumbled over chown not working under certain conditions from
a ssh login myself.  If I ssh into a domain machine without supplying
a password, then I seem to be restricted in the operations that I
can do -- even though I am a member of the local Administrators group.
For example, I cannot chown a (local) file nor start/stop a service.
However, if I ssh via password exchange, then I can perform these operations.

On the other hand, if I ssh to a workgroup machine, then I can perform
these operations regardless of how I authenticate.

I know that it has been noted that one cannot access network shares from
a ssh login due to running under the LocalSystem account.  But, I was
surprised by the chown and start/stop service restrictions since I
perceived them to be local operations.

Anyway, I'm not sure if you are in a domain environment or not.  But if
you are, then this could explain the behavior that you were observing.

Jason

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

autoconf question

[Cheuk Cheng]

Hi, does anyone know what macros to use (when writing configure.in) to add
conditional statements to surround variable definitions within makefiles
generated by autoconf?  I am trying to have something similar to the
following inside the makefile created by autoconf.

ifeq($myvar,)
myvar = some_value_defined_inside_configure_in_using_AC_DEFINE
else
# use the existing value of $myvar, which can be passed on the commandline
when invoking make
endif

Thanks.



--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: chmod/chown + ntsec doesn't work (was OpenSSH and RSA authentication problems)

[Corinna Vinschen]

On Thu, Oct 25, 2001 at 02:12:44PM -0400, Jason Tishler wrote:
> Peter,
> 
> On Fri, Oct 05, 2001 at 10:40:10AM -0400, Peter Buckley wrote:
> > But, chown still doesn't work.
> 
> I just stumbled over chown not working under certain conditions from
> a ssh login myself.  If I ssh into a domain machine without supplying
> a password, then I seem to be restricted in the operations that I
> can do -- even though I am a member of the local Administrators group.
> For example, I cannot chown a (local) file nor start/stop a service.
> However, if I ssh via password exchange, then I can perform these operations.
> 
> On the other hand, if I ssh to a workgroup machine, then I can perform
> these operations regardless of how I authenticate.
> 
> I know that it has been noted that one cannot access network shares from
> a ssh login due to running under the LocalSystem account.  But, I was
> surprised by the chown and start/stop service restrictions since I
> perceived them to be local operations.

I'm surprised, too.  I don't have a domain environment so I can't
test that further.  Are you sure that you're not just restricted
due to either having /etc/passwd or /etc/group not setup correctly
or actually having restrictions due to domain policy?

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: chmod/chown + ntsec doesn't work (was OpenSSH and RSA authentication problems)

[Jason Tishler]

Corrina,

On Fri, Oct 26, 2001 at 08:00:24PM +0200, Corinna Vinschen wrote:
> On Thu, Oct 25, 2001 at 02:12:44PM -0400, Jason Tishler wrote:
> > I know that it has been noted that one cannot access network shares from
> > a ssh login due to running under the LocalSystem account.  But, I was
> > surprised by the chown and start/stop service restrictions since I
> > perceived them to be local operations.
> 
> I'm surprised, too.  I don't have a domain environment so I can't
> test that further.  Are you sure that you're not just restricted
> due to either having /etc/passwd or /etc/group not setup correctly

AFAICT, I have set up my passwd/group file correctly.  The procedure
that I use in a domain environment is execute mkpasswd/mkgroup -l and
then append the appropriate entries from mkpasswd/mkgroup -d.

> or actually having restrictions due to domain policy?

I'm not sure what you mean by "domain policy."  Can a Windows domain
policy cause the restrictions being observed?

Nevertheless, I now better understand why chown was not working under
ssh via key exchange:

$ ssh tishlmob2d1m701 id
uid=12986(jtishler) gid=10513(Domain Users) groups=0(Everyone),545(Users),10513(Domain Users),12093(Software Engineering)

Note that Windows does not think that I am in the local Administrators
group.  Hence, I'm not able to chown, net start/stop, etc.

But, if I ssh via password exchange:

$ ssh -1 tishlmob2d1m701 id
jtishler@tishlmob2d1m701's password: 
uid=12986(jtishler) gid=10513(Domain Users) groups=0(Everyone),544(Administrators),545(Users),10513(Domain Users),12093(Software Engineering)

then Windows does.  Why?  Unfortunately, I don't (currently) know.

Here is another example:

$ ssh raidboston id
uid=12986(jtishler) gid=10513(Domain Users) groups=0(Everyone),545(Users),10513(Domain Users),12093(Software Engineering

$ ssh -1 raidboston id
jtishler@raidboston's password: 
uid=12986(jtishler) gid=10513(Domain Users) groups=0(Everyone),544(Administrators),545(Users),1001(cvs-change-local),1000(cvsfull-local),10513(Domain Users),12093(Software Engineering)

Note that cvs-change-local and cvsfull-local are local groups.  So,
it appears that when one uses ssh key exchange to a domain machine,
then Windows does not think that the user is a member of any local group
except possibly Everyone.  Is Everyone a local or domain group?

BTW, the local group membership problem also affects cron usage in domain
environments -- to no great surprise.

Jason

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: chmod/chown + ntsec doesn't work (was OpenSSH and RSA authentication problems)

[Corinna Vinschen]

On Mon, Oct 29, 2001 at 07:48:44AM -0500, Jason Tishler wrote:
> Corrina,

s/rrin/rinn

> Nevertheless, I now better understand why chown was not working under
> ssh via key exchange:
> 
> $ ssh tishlmob2d1m701 id
> uid=12986(jtishler) gid=10513(Domain Users) groups=0(Everyone),545(Users),10513(Domain Users),12093(Software Engineering)
> 
> Note that Windows does not think that I am in the local Administrators
> group.  Hence, I'm not able to chown, net start/stop, etc.
> 
> But, if I ssh via password exchange:
> 
> $ ssh -1 tishlmob2d1m701 id
> jtishler@tishlmob2d1m701's password: 
> uid=12986(jtishler) gid=10513(Domain Users) groups=0(Everyone),544(Administrators),545(Users),10513(Domain Users),12093(Software Engineering)
> 
> then Windows does.  Why?  Unfortunately, I don't (currently) know.

Hmm, Dunno.  That's sort of a leak in the create_token() code in
security.cc but I don't see how that can happen.  When performing
a password login, the user token is created by Windows itself while
in case of pubkey authentication I have to create the new token by
myself.

Jason, you are working on Cygwin code so you could take a look into it.

Let's begin in create_token() itself, line 761 calls get_group_sidlist()
which creates a list of SIDs of all groups the user is a member of.
In get_group_sidlist(), line 518 I'm calling get_user_groups() to
retrieve the list of global (domain) groups, followed by a call to
get_user_local_groups(), line 519, which retrieves the list of local
groups the user is member of.  To do that, the function NetUserGetGroups()
is used for getting the list of global groups.

To get all local groups, first NetLocalGroupEnum() is called and then
(in function is_group_member()) for all local group I'm calling
NetLocalGroupGetMembers() to check if either the user is a direct
member of that local group or one of his global groups is member of
that local group.  This way, all groups of the user should have been
retrieved.

Do you (or does anybody) see an error here?

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: chmod/chown + ntsec doesn't work (was OpenSSH and RSA authentication problems)

[Jason Tishler]

Corinna,

On Tue, Oct 30, 2001 at 01:05:16AM +0100, Corinna Vinschen wrote:
> Never mind.  I found a test environment and I have checked in a patch.
> Could you test the current Cygwin from CVS, though?  Just to be sure.
> You should have 544(Administrators) in your supplementary group list
> now even with public key authentication.

I just checked both of my domain environments and all appropriate local
groups are part of my supplementary group list under ssh public key
authentication.  Ditto for cron too.

Thanks for the speedy fix!

Jason

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/