SSHD, Cygwin and Windows 2003

SSHD, Cygwin and Windows 2003

[Mark J de Jong]

[-- Attachment #1: Type: text/plain, Size: 1539 bytes --]

Hello,
I've looked and couldn't find decent docs on this so for those of you
who are lookin', this is a quick howto on how to setup the
Cygwin/OpenSSH daemon on M$ Windows 2003. This will fix the passwordless
(ssh key) login issue.

1. Install Cygwin with the openssh binaries....
2. After completing the Cygwin setup, goto the cygwin command prompt and
type 'ssh-host-config'
3. Answer 'y' when asked if you want to sshd with privilege separation.
4. Answer 'y' when asked if user sshd should be created by the script.
5. Answer 'y' when asked if you want sshd to be created as a service.
6. Create a new windows user named "sshdproc" or whatever you wish the
sshd process account username to be. If you happen to notice the sshd
user being disabled, don't enable it!
7. Place the sshdproc user in the "Administrators" group.
8. Give the sshdproc user the following system rights:
	* Create a token object
	* Log on as a service
	* Replace a process level token

	And for security.....
	* Deny log on locally
	* Deny access to this computer from the network

9. Reconfigure the "CYGWIN sshd service" to run as the new "sshdproc"
user.
10. At the cygwin command prompt type 'mkpasswd -l |grep sshdproc >>
/etc/passwd <enter>'
11. Type 'touch /var/log/sshd.log <enter>'
12. Type 'chmod 644 /var/log/sshd.log <enter>'
11. Type 'chown sshdproc /var/empty /var/log/sshd.log /etc/ssh_*
<enter>'
12. Type 'cygrunsrv --start sshd <enter>'

That should be it.. Hope this helps! :)

Best,
Mark J. de Jong



[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Manipulating user privileges (was Re: SSHD, Cygwin and Windows 2003)

[Corinna Vinschen]

On Mon, Sep 15, 2003 at 03:29:48PM -0400, Mark J de Jong wrote:
> Hello,
> I've looked and couldn't find decent docs on this so for those of you
> who are lookin', this is a quick howto on how to setup the
> Cygwin/OpenSSH daemon on M$ Windows 2003. This will fix the passwordless
> (ssh key) login issue.
> 
> 1. Install Cygwin with the openssh binaries....
> 2. After completing the Cygwin setup, goto the cygwin command prompt and
> type 'ssh-host-config'
> 3. Answer 'y' when asked if you want to sshd with privilege separation.
> 4. Answer 'y' when asked if user sshd should be created by the script.
> 5. Answer 'y' when asked if you want sshd to be created as a service.
> 6. Create a new windows user named "sshdproc" or whatever you wish the
> sshd process account username to be. If you happen to notice the sshd
> user being disabled, don't enable it!
> 7. Place the sshdproc user in the "Administrators" group.
> 8. Give the sshdproc user the following system rights:
> 	* Create a token object
> 	* Log on as a service
> 	* Replace a process level token
> 
> 	And for security.....
> 	* Deny log on locally
> 	* Deny access to this computer from the network
> 
> 9. Reconfigure the "CYGWIN sshd service" to run as the new "sshdproc"
> user.
> 10. At the cygwin command prompt type 'mkpasswd -l |grep sshdproc >>
> /etc/passwd <enter>'
> 11. Type 'touch /var/log/sshd.log <enter>'
> 12. Type 'chmod 644 /var/log/sshd.log <enter>'
> 11. Type 'chown sshdproc /var/empty /var/log/sshd.log /etc/ssh_*
> <enter>'
> 12. Type 'cygrunsrv --start sshd <enter>'
> 
> That should be it.. Hope this helps! :)

It should.  Thanks for this description, it's exactly what is needed
in the mailing list archive.

Btw., the ssh-host-config already creates the sshd account, that's easy
from the command line.  But creating a useful sshdproc account as above
requires to be able to set user privileges like the famous "Create a
token object" privilege.  Does anybody know a way how to do this on the
command line which would allow ssh-host-config to do the above more or
less automagically?  If such a command line tool doesn't exist as part
of NT/2K/XP/03, would anybody be willing to create a simple command line
tool for inclusion in Cygwin?  It would be sufficient if that tool could
manipulate the above user privileges of an already existing user account.

Anybody?

It would be nice(TM) if we would move slowly to a Cygwin account called,
say, "root" with uid 0, so that all these sick handling of the SYSTEM
account with uid 18 could be dropped in favor of that root account.  It
would also be more naturally to people coming from a UNIX background.
A tool as the above would help to automate this as far as possible.

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Manipulating user privileges (was Re: SSHD, Cygwin and Windows 2003)

[Brian Dessent]

Corinna Vinschen wrote:

> Btw., the ssh-host-config already creates the sshd account, that's easy
> from the command line.  But creating a useful sshdproc account as above
> requires to be able to set user privileges like the famous "Create a
> token object" privilege.  Does anybody know a way how to do this on the
> command line which would allow ssh-host-config to do the above more or
> less automagically?  If such a command line tool doesn't exist as part
> of NT/2K/XP/03, would anybody be willing to create a simple command line
> tool for inclusion in Cygwin?  It would be sufficient if that tool could
> manipulate the above user privileges of an already existing user account.

The Resource Kit from MS contains the tool "Ntrights.exe" which looks
like it can do this:

$ ./Ntrights.exe 
NTRights.Exe - Beta Version by Georg Zanzen
Grants/Revokes NT-Rights to a user/group
usage: -u xxx  User/Group
       -m \\xxx  machine to perform the operation on (default local
machine)
       -e xxxxx Add xxxxx to the event log
       -r xxx  revokes the xxx right
       +r xxx  grants the xxx right
valid NTRights are:
  SeCreateTokenPrivilege
  SeAssignPrimaryTokenPrivilege
  SeLockMemoryPrivilege
  SeIncreaseQuotaPrivilege
  SeUnsolicitedInputPrivilege
  SeMachineAccountPrivilege
  SeTcbPrivilege
  SeSecurityPrivilege
  SeTakeOwnershipPrivilege
  SeLoadDriverPrivilege
  SeSystemProfilePrivilege
  SeSystemtimePrivilege
  SeProfileSingleProcessPrivilege
  SeIncreaseBasePriorityPrivilege
  SeCreatePagefilePrivilege
  SeCreatePermanentPrivilege
  SeBackupPrivilege
  SeRestorePrivilege
  SeShutdownPrivilege
  SeAuditPrivilege
  SeSystemEnvironmentPrivilege
  SeChangeNotifyPrivilege
  SeRemoteShutdownPrivilege

I don't know exactly what the license or distribution policy is for
resource kit tools.  Microsoft wants you to buy their "Admin Pack" or
whatever it's called with all the tools on CD.  They offer some of them
on their site for download at
<http://www.microsoft.com/windows2000/techinfo/reskit/tools/default.asp>,
however you can find the the omitted ones like Ntrights.exe at other
places like <http://www.petri.co.il/download_free_reskit_tools.htm>.  As
far as inclusion with Cygwin, I have no idea if that would be legit or
not.

Brian

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Manipulating user privileges (was Re: SSHD, Cygwin and Windows 2003)

[Corinna Vinschen]

On Tue, Sep 16, 2003 at 03:55:10AM -0700, Brian Dessent wrote:
> Corinna Vinschen wrote:
> >   Does anybody know a way how to do this on the
> > command line which would allow ssh-host-config to do the above more or
> > less automagically?  If such a command line tool doesn't exist as part
> > of NT/2K/XP/03, would anybody be willing to create a simple command line
> > tool for inclusion in Cygwin?  It would be sufficient if that tool could
> > manipulate the above user privileges of an already existing user account.
> 
> The Resource Kit from MS contains the tool "Ntrights.exe" which looks
> like it can do this:
> [...]
> As far as inclusion with Cygwin, I have no idea if that would be legit or
> not.

A cygwin tool should be available in source and buildable with gcc so
just shipping ntrights.exe with Cygwin is a no-no.

The problem with using ntrights.exe is the fact, that it's not part of
the OS.  Therefore scripts like ssh-host-config or postinstall scripts
can't rely on it's existance.  So, I guess we will have to have some
self-written tool to do basically the same as ntrights.exe

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Manipulating user privileges (was Re: SSHD, Cygwin and Windows 2003)

[Chris Rodgers]

> Btw., the ssh-host-config already creates the sshd account, that's easy
> from the command line.  But creating a useful sshdproc account as above
> requires to be able to set user privileges like the famous "Create a
> token object" privilege.  Does anybody know a way how to do this on the
> command line which would allow ssh-host-config to do the above more or
> less automagically?  If such a command line tool doesn't exist as part
> of NT/2K/XP/03, would anybody be willing to create a simple command line
> tool for inclusion in Cygwin?  It would be sufficient if that tool could
> manipulate the above user privileges of an already existing user account.
>
> Anybody?

Me.

I have knocked up a small tool to add/remove/list user rights from the
command line. How do I go about contributing this?

The current (unpolished) version is at http://rodgers.org.uk/EditRights.zip

Chris Rodgers


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Manipulating user privileges (was Re: SSHD, Cygwin and Windows 2003)

[Corinna Vinschen]

On Thu, Sep 18, 2003 at 01:09:58AM +0100, Chris Rodgers wrote:
> > Btw., the ssh-host-config already creates the sshd account, that's easy
> > from the command line.  But creating a useful sshdproc account as above
> > requires to be able to set user privileges like the famous "Create a
> > token object" privilege.  Does anybody know a way how to do this on the
> > command line which would allow ssh-host-config to do the above more or
> > less automagically?  If such a command line tool doesn't exist as part
> > of NT/2K/XP/03, would anybody be willing to create a simple command line
> > tool for inclusion in Cygwin?  It would be sufficient if that tool could
> > manipulate the above user privileges of an already existing user account.
> >
> > Anybody?
> 
> Me.
> 
> I have knocked up a small tool to add/remove/list user rights from the
> command line. How do I go about contributing this?
> 
> The current (unpolished) version is at http://rodgers.org.uk/EditRights.zip

Cool!  How you can contribute it depends on the licensing and how much
work you are willing to invest.  Do you want to put it under some GPL or
BSD license?  Or do you want to keep everything together as it is? 
Then create a package as described under http://cygwin.com/setup.html

The somewhat difficult way would be to put editrights into the Cygwin
package itself.  It requires editrights to be buildable as part of the
Cygwin utils subdirectory (you would have to change your tool a bit...)
and especially it requires editrights to be put under the Cygwin license
and you would have to assign the copyright to Red Hat.  See
http://cygwin.com/contrib.html.

Even though I'd love to see it as a Cygwn tool, I guess the first option
is the easier one.  In that case it should become a package in the 'Base'
category.

Oh, is there a chance to get also a -l option to list existing rights
for a user?!?


Thanks,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Manipulating user privileges (was Re: SSHD, Cygwin and Windows 2003)

[Chris Rodgers]

> Cool!  How you can contribute it depends on the licensing and how much
> work you are willing to invest.  Do you want to put it under some GPL or
> BSD license?  Or do you want to keep everything together as it is?
> Then create a package as described under http://cygwin.com/setup.html
...
> Even though I'd love to see it as a Cygwn tool, I guess the first option
> is the easier one.  In that case it should become a package in the 'Base'
> category.

OK. I've had a crack at this. The packages can be found at:
http://rodgers.org.uk/editrights/
and are released under a BSD-style licence.

> Oh, is there a chance to get also a -l option to list existing rights
> for a user?!?

The tool always lists the user rights. I thought that it would decrease the
odds of someone making unintended changes. I could always make this optional
if that would be best?

Chris.


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Manipulating user privileges (was Re: SSHD, Cygwin and Windows 2003)

[Corinna Vinschen]

On Mon, Sep 22, 2003 at 09:43:45PM +0100, Chris Rodgers wrote:
> OK. I've had a crack at this. The packages can be found at:
> http://rodgers.org.uk/editrights/
> and are released under a BSD-style licence.

Would you mind to send an ITP message to cygwin-apps@cygwin.com as
described under http://cygwin.com/setup.html#submitting?

The package is more or less preapproved but I would like to discuss
a few details (on cygwin-apps, which is the appropriate list for
package maintainer discussions). 

E.g. adding and removing and listing are very talkative by default.
While the listing option allows to add a -q option, this doesn't work
for -a and -r.

It's your tool, after all, but IMHO it would be more suitable for
scripting to turn around the behaviour:  No output on -a and -r if
they work, error output otherwise, only listing the rights with -l.
The lot of output only with additional verbose option.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Manipulating user privileges (was Re: SSHD, Cygwin and Windows 2003)

[Igor Pechtchanski]

On Tue, 23 Sep 2003, Corinna Vinschen wrote:

> On Mon, Sep 22, 2003 at 09:43:45PM +0100, Chris Rodgers wrote:
> > OK. I've had a crack at this. The packages can be found at:
> > http://rodgers.org.uk/editrights/
> > and are released under a BSD-style licence.
>
> Would you mind to send an ITP message to cygwin-apps@cygwin.com as
> described under http://cygwin.com/setup.html#submitting?
>
> The package is more or less preapproved but I would like to discuss
> a few details (on cygwin-apps, which is the appropriate list for
> package maintainer discussions).
>
> E.g. adding and removing and listing are very talkative by default.
> While the listing option allows to add a -q option, this doesn't work
> for -a and -r.
>
> It's your tool, after all, but IMHO it would be more suitable for
> scripting to turn around the behaviour:  No output on -a and -r if
> they work, error output otherwise, only listing the rights with -l.
> The lot of output only with additional verbose option.
>
> Corinna

Also error codes on failure, and the ability to check whether a user has
certain rights (without using grep).  If we decide to adopt it as a
package, could we have a CVS repository for it under cygwin-apps (like for
cygrunsrv), controlled by Chris (Rodgers), so that people can submit
patches against CVS if need be?  Unless Chris plans to release it totally
separate from Cygwin...
	Igor
-- 
				http://cs.nyu.edu/~pechtcha/
      |\      _,,,---,,_		pechtcha@cs.nyu.edu
ZZZzz /,`.-'`'    -.  ;-;;,_		igor@watson.ibm.com
     |,4-  ) )-,_. ,\ (  `'-'		Igor Pechtchanski, Ph.D.
    '---''(_/--'  `-'\_) fL	a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!

"I have since come to realize that being between your mentor and his route
to the bathroom is a major career booster."  -- Patrick Naughton

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Manipulating user privileges (was Re: SSHD, Cygwin and Windows 2003)

[Corinna Vinschen]

On Tue, Sep 23, 2003 at 09:24:45AM -0400, Igor Pechtchanski wrote:
> Also error codes on failure, and the ability to check whether a user has
> certain rights (without using grep).  If we decide to adopt it as a
> package, could we have a CVS repository for it under cygwin-apps (like for
> cygrunsrv), controlled by Chris (Rodgers), so that people can submit
> patches against CVS if need be?  Unless Chris plans to release it totally
> separate from Cygwin...

Setting up a CVS repository would be simple.

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Manipulating user privileges (was Re: SSHD, Cygwin and Windows 2003)

[Igor Pechtchanski]

On Tue, 23 Sep 2003, Corinna Vinschen wrote:

> On Tue, Sep 23, 2003 at 09:24:45AM -0400, Igor Pechtchanski wrote:
> > Also error codes on failure, and the ability to check whether a user has
> > certain rights (without using grep).  If we decide to adopt it as a
> > package, could we have a CVS repository for it under cygwin-apps (like for
> > cygrunsrv), controlled by Chris (Rodgers), so that people can submit
> > patches against CVS if need be?  Unless Chris plans to release it totally
> > separate from Cygwin...
>
> Setting up a CVS repository would be simple.
>
> Corinna

Umm, yes, this was mostly a (disguised, I guess) question for Chris on
whether he wants to tie his program to Cygwin or release it independently.
	Igor
-- 
				http://cs.nyu.edu/~pechtcha/
      |\      _,,,---,,_		pechtcha@cs.nyu.edu
ZZZzz /,`.-'`'    -.  ;-;;,_		igor@watson.ibm.com
     |,4-  ) )-,_. ,\ (  `'-'		Igor Pechtchanski, Ph.D.
    '---''(_/--'  `-'\_) fL	a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!

"I have since come to realize that being between your mentor and his route
to the bathroom is a major career booster."  -- Patrick Naughton

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

RE: Manipulating user privileges (was Re: SSHD, Cygwin and Windows 2003)

[Hannu E K Nevalainen (garbage mail)]

> From: Igor Pechtchanski

> > Setting up a CVS repository would be simple.
> >
> > Corinna
>
> Umm, yes, this was mostly a (disguised, I guess) question for Chris on
> whether he wants to tie his program to Cygwin or release it independently.
> 	Igor

 Hmm... WAG: Chris is feeling the pressure build up ':-}

/Hannu E K Nevalainen, B.Sc. EE - 59?16.37'N, 17?12.60'E
-- UTC+01, DST -> UTC+02  --
--END OF MESSAGE--


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Manipulating user privileges (was Re: SSHD, Cygwin and Windows 2003)

[Chris Rodgers]

> On Tue, Sep 23, 2003 at 09:24:45AM -0400, Igor Pechtchanski wrote:
> > Also error codes on failure, and the ability to check whether a user has
> > certain rights (without using grep).  If we decide to adopt it as a
> > package, could we have a CVS repository for it under cygwin-apps (like
for
> > cygrunsrv), controlled by Chris (Rodgers), so that people can submit
> > patches against CVS if need be?  Unless Chris plans to release it
totally
> > separate from Cygwin...
>
> Setting up a CVS repository would be simple.

I am happy to store the code in a public CVS repository, especially since I
can't provide public access to my own CVS repository. Please let me know the
details off-list.

Chris


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/