From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 26612 invoked by alias); 16 Sep 2003 10:13:14 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 26594 invoked from network); 16 Sep 2003 10:13:11 -0000 Received: from unknown (HELO cygbert.vinschen.de) (193.175.24.89) by sources.redhat.com with SMTP; 16 Sep 2003 10:13:11 -0000 Received: by cygbert.vinschen.de (Postfix, from userid 500) id F28B55839B; Tue, 16 Sep 2003 12:13:10 +0200 (CEST) Date: Tue, 16 Sep 2003 10:26:00 -0000 From: Corinna Vinschen To: cygwin@cygwin.com Subject: Manipulating user privileges (was Re: SSHD, Cygwin and Windows 2003) Message-ID: <20030916101310.GP9981@cygbert.vinschen.de> Reply-To: cygwin@cygwin.com Mail-Followup-To: cygwin@cygwin.com References: <1063654188.1917.126.camel@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1063654188.1917.126.camel@localhost> User-Agent: Mutt/1.4.1i X-SW-Source: 2003-09/txt/msg01016.txt.bz2 On Mon, Sep 15, 2003 at 03:29:48PM -0400, Mark J de Jong wrote: > Hello, > I've looked and couldn't find decent docs on this so for those of you > who are lookin', this is a quick howto on how to setup the > Cygwin/OpenSSH daemon on M$ Windows 2003. This will fix the passwordless > (ssh key) login issue. > > 1. Install Cygwin with the openssh binaries.... > 2. After completing the Cygwin setup, goto the cygwin command prompt and > type 'ssh-host-config' > 3. Answer 'y' when asked if you want to sshd with privilege separation. > 4. Answer 'y' when asked if user sshd should be created by the script. > 5. Answer 'y' when asked if you want sshd to be created as a service. > 6. Create a new windows user named "sshdproc" or whatever you wish the > sshd process account username to be. If you happen to notice the sshd > user being disabled, don't enable it! > 7. Place the sshdproc user in the "Administrators" group. > 8. Give the sshdproc user the following system rights: > * Create a token object > * Log on as a service > * Replace a process level token > > And for security..... > * Deny log on locally > * Deny access to this computer from the network > > 9. Reconfigure the "CYGWIN sshd service" to run as the new "sshdproc" > user. > 10. At the cygwin command prompt type 'mkpasswd -l |grep sshdproc >> > /etc/passwd ' > 11. Type 'touch /var/log/sshd.log ' > 12. Type 'chmod 644 /var/log/sshd.log ' > 11. Type 'chown sshdproc /var/empty /var/log/sshd.log /etc/ssh_* > ' > 12. Type 'cygrunsrv --start sshd ' > > That should be it.. Hope this helps! :) It should. Thanks for this description, it's exactly what is needed in the mailing list archive. Btw., the ssh-host-config already creates the sshd account, that's easy from the command line. But creating a useful sshdproc account as above requires to be able to set user privileges like the famous "Create a token object" privilege. Does anybody know a way how to do this on the command line which would allow ssh-host-config to do the above more or less automagically? If such a command line tool doesn't exist as part of NT/2K/XP/03, would anybody be willing to create a simple command line tool for inclusion in Cygwin? It would be sufficient if that tool could manipulate the above user privileges of an already existing user account. Anybody? It would be nice(TM) if we would move slowly to a Cygwin account called, say, "root" with uid 0, so that all these sick handling of the SYSTEM account with uid 18 could be dropped in favor of that root account. It would also be more naturally to people coming from a UNIX background. A tool as the above would help to automate this as far as possible. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developer mailto:cygwin@cygwin.com Red Hat, Inc. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/