* How do I run sshd as a particular user?
@ 2008-02-27 11:57 Alfred von Campe
2008-02-27 12:40 ` Larry Hall (Cygwin)
0 siblings, 1 reply; 16+ messages in thread
From: Alfred von Campe @ 2008-02-27 11:57 UTC (permalink / raw)
To: cygwin
I've read about the restrictions on accessing shares while logged
into a Windows system with the Cygwin ssh daemon. We are interested
in this to do remote builds, and it would be nice to access network
shares. We only really need one user to be able to log in, so I
thought I'd change the CYGWIN sshd service to run as that user.
However, when I changed the service and tried to start it, I got the
following error message: "The VYGWIN sshd servcice on Local COmputer
started and then stopped." Any ideas what's going on?
I tried to revert to having the service started by the .\sshd user,
but I can't get that to work no either! I think it's because I am
using the wrong password. How can I change or reset the password on
that account?
Alfred
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: How do I run sshd as a particular user?
2008-02-27 11:57 How do I run sshd as a particular user? Alfred von Campe
@ 2008-02-27 12:40 ` Larry Hall (Cygwin)
2008-03-26 20:35 ` Alfred von Campe
0 siblings, 1 reply; 16+ messages in thread
From: Larry Hall (Cygwin) @ 2008-02-27 12:40 UTC (permalink / raw)
To: cygwin
Alfred von Campe wrote:
> I've read about the restrictions on accessing shares while logged into a
> Windows system with the Cygwin ssh daemon. We are interested in this to
> do remote builds, and it would be nice to access network shares. We
> only really need one user to be able to log in, so I thought I'd change
> the CYGWIN sshd service to run as that user. However, when I changed
> the service and tried to start it, I got the following error message:
> "The VYGWIN sshd servcice on Local COmputer started and then stopped."
> Any ideas what's going on?
>
> I tried to revert to having the service started by the .\sshd user, but
> I can't get that to work no either! I think it's because I am using the
> wrong password. How can I change or reset the password on that account?
How did you make this change? If you removed and reinstalled the service
with 'cygrunsrv' like the sshd configuration script does, then use the
'-W, --passwd <password>' flag. Otherwise, specify the password in
Control Panel->Administrative Tools->Services->Cygwin sshd Logon properties
page.
FWIW, the sshd_server user that the sshd configuration script will make
for you if you're on W2K3 or later has no password by default.
--
Larry Hall http://www.rfk.com
RFK Partners, Inc. (508) 893-9779 - RFK Office
216 Dalton Rd. (508) 893-9889 - FAX
Holliston, MA 01746
_____________________________________________________________________
A: Yes.
> Q: Are you sure?
>> A: Because it reverses the logical flow of conversation.
>>> Q: Why is top posting annoying in email?
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: How do I run sshd as a particular user?
2008-02-27 12:40 ` Larry Hall (Cygwin)
@ 2008-03-26 20:35 ` Alfred von Campe
2008-03-28 15:28 ` Alfred von Campe
0 siblings, 1 reply; 16+ messages in thread
From: Alfred von Campe @ 2008-03-26 20:35 UTC (permalink / raw)
To: cygwin
On Feb 26, 2008, at 18:29, Larry Hall (Cygwin) wrote:
>
> How did you make this change? If you removed and reinstalled the
> service
> with 'cygrunsrv' like the sshd configuration script does, then use the
> '-W, --passwd <password>' flag. Otherwise, specify the password in
> Control Panel->Administrative Tools->Services->Cygwin sshd Logon
> properties
> page.
It's not a month since Larry posted this (thanks, BTW), and this
issue has bubbled up to the top again. I have tried various ways to
get the sshd service started as a domain user (instead of the local
sshd_server user) and can not get it to work. What is the correct
syntax to specify a domain user with cygrunsrv? This is what I have
tried:
cygrunsrv -I sshd -u "DOMAINNAME\USERNAME" -w PASSWORD -d "CYGWIN
sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=bin tty smbntsec" -y tcpip
This successfully installs the service, and if I look at it in the
Services panel it shows the correct username (DOMAIN\USERNAME), but
if I try to start the service I always get the error "The Cygwin sshd
service in Local Computer started and then stopped". If I substitute
sshd_server for the user and supply the correct password, the sshd
service starts correctly. But I want to start the service as a
domain user so that I can access network shares and resolve some
build issues with Visual Studio that are apparently caused by not
being fully authenticated.
Alfred
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: How do I run sshd as a particular user?
2008-03-26 20:35 ` Alfred von Campe
@ 2008-03-28 15:28 ` Alfred von Campe
2008-03-28 16:07 ` Larry Hall (Cygwin)
2008-03-28 17:05 ` Dave Korn
0 siblings, 2 replies; 16+ messages in thread
From: Alfred von Campe @ 2008-03-28 15:28 UTC (permalink / raw)
To: cygwin
[I'm reposting this with a couple of corrections/clarifications and
also to raise its visibility since I didn't get any responses last
time :-)]
It's been a month since Larry Hall replied to my last post on this
topic (thanks, BTW), and this issue has bubbled up to the top again.
I have tried various ways to get the sshd service started as a domain
user (instead of the default local user "sshd_server") and can not
get it to work. What is the correct syntax to specify a domain user
with cygrunsrv? This is what I have tried:
cygrunsrv -I sshd -u "DOMAINNAME\USERNAME" -w PASSWORD -d "CYGWIN
sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=bin tty smbntsec" -y tcpip
This successfully installs the service, and if I look at it in the
Services control panel, it shows the correct username (DOMAIN
\USERNAME), but if I try to start the service I always get the error
"The Cygwin sshd service in Local Computer started and then
stopped". If I substitute sshd_server for the user and supply the
correct password, the sshd service starts correctly. But I want to
start the service as a domain user so that I can access network
shares and resolve some build issues with Visual Studio that are
apparently caused by not being fully authenticated.
Alfred
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: How do I run sshd as a particular user?
2008-03-28 15:28 ` Alfred von Campe
@ 2008-03-28 16:07 ` Larry Hall (Cygwin)
2008-03-28 17:05 ` Dave Korn
1 sibling, 0 replies; 16+ messages in thread
From: Larry Hall (Cygwin) @ 2008-03-28 16:07 UTC (permalink / raw)
To: cygwin
Alfred von Campe wrote:
> [I'm reposting this with a couple of corrections/clarifications and also
> to raise its visibility since I didn't get any responses last time :-)]
>
> It's been a month since Larry Hall replied to my last post on this topic
> (thanks, BTW), and this issue has bubbled up to the top again. I have
> tried various ways to get the sshd service started as a domain user
> (instead of the default local user "sshd_server") and can not get it to
> work. What is the correct syntax to specify a domain user with
> cygrunsrv? This is what I have tried:
>
> cygrunsrv -I sshd -u "DOMAINNAME\USERNAME" -w PASSWORD -d "CYGWIN
> sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=bin tty smbntsec" -y tcpip
>
> This successfully installs the service, and if I look at it in the
> Services control panel, it shows the correct username (DOMAIN\USERNAME),
> but if I try to start the service I always get the error "The Cygwin
> sshd service in Local Computer started and then stopped". If I
> substitute sshd_server for the user and supply the correct password, the
> sshd service starts correctly. But I want to start the service as a
> domain user so that I can access network shares and resolve some build
> issues with Visual Studio that are apparently caused by not being fully
> authenticated.
Does it have to be a domain user? If not, create a local one and give it
the permissions outlined in '/usr/share/doc/cygwin/openssh.README' from the
"Important note for windows 2003 Server users:" section. Or just look at
what '/bin/ssh-host-config' does. If it has to be a domain user for some
reason, I guess you can try the above on the machine in question for that
user but I really don't know enough about how domain user permissions can
(or can't) be augmented on local machines to say how this will work (and I
don't have a domain to test against currently).
--
Larry Hall http://www.rfk.com
RFK Partners, Inc. (508) 893-9779 - RFK Office
216 Dalton Rd. (508) 893-9889 - FAX
Holliston, MA 01746
_____________________________________________________________________
A: Yes.
> Q: Are you sure?
>> A: Because it reverses the logical flow of conversation.
>>> Q: Why is top posting annoying in email?
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 16+ messages in thread
* RE: How do I run sshd as a particular user?
2008-03-28 15:28 ` Alfred von Campe
2008-03-28 16:07 ` Larry Hall (Cygwin)
@ 2008-03-28 17:05 ` Dave Korn
2008-04-02 13:12 ` Alfred von Campe
1 sibling, 1 reply; 16+ messages in thread
From: Dave Korn @ 2008-03-28 17:05 UTC (permalink / raw)
To: cygwin
Alfred von Campe wrote on 28 March 2008 12:30:
> I have tried various ways to get the sshd service started as a domain
> user (instead of the default local user "sshd_server") and can not
> get it to work. What is the correct syntax to specify a domain user
> with cygrunsrv? This is what I have tried:
>
> cygrunsrv -I sshd -u "DOMAINNAME\USERNAME" -w PASSWORD -d "CYGWIN
> sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=bin tty smbntsec" -y tcpip
That's the windows domain user syntax sure enough. There aren't any shell
metacharacters in the password by any chance are there?
> This successfully installs the service, and if I look at it in the
> Services control panel, it shows the correct username (DOMAIN
> \USERNAME), but if I try to start the service I always get the error
> "The Cygwin sshd service in Local Computer started and then
> stopped". If I substitute sshd_server for the user and supply the
> correct password, the sshd service starts correctly. But I want to
> start the service as a domain user
I suppose it might also be worth turning on all the auditing in the
security log to see if it's a login failure or not.
cheers,
DaveK
--
Can't think of a witty .sigline today....
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: How do I run sshd as a particular user?
2008-03-28 17:05 ` Dave Korn
@ 2008-04-02 13:12 ` Alfred von Campe
2008-04-02 13:27 ` Corinna Vinschen
0 siblings, 1 reply; 16+ messages in thread
From: Alfred von Campe @ 2008-04-02 13:12 UTC (permalink / raw)
To: Dave Korn; +Cc: cygwin
On Mar 28, 2008, at 11:28, Dave Korn wrote:
> Alfred von Campe wrote on 28 March 2008 12:30:
>
>> I have tried various ways to get the sshd service started as a domain
>> user (instead of the default local user "sshd_server") and can not
>> get it to work. What is the correct syntax to specify a domain user
>> with cygrunsrv? This is what I have tried:
>>
>> cygrunsrv -I sshd -u "DOMAINNAME\USERNAME" -w PASSWORD -d "CYGWIN
>> sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=bin tty smbntsec" -y tcpip
>
> That's the windows domain user syntax sure enough. There aren't
> any shell
> metacharacters in the password by any chance are there?
Nope, just upper and lowercase letters, numbers, and a dash. I also
ensured that the user had all the user rights as described in the
openssh.README file (well, all except for Increase Quota, which for
some reason was not defined on this system, and must not really be
required since the sshd_server account also did not have that right
and it is able to start the service). The result is the same, the
service starts and immediately stops. There is nothing obvious in
the logs. I am not really a Windows person, so I've been working
with one of our IT guys on this, but he is out today and I will be
out tomorrow and Friday, so this will have to wait until next week.
Again, the problem I am trying to solve is to be able to kick off
builds remotely and automatically on this Windows server. To do
this, we need password-less login, and to that end, we have exchanged
ssh keys and have this working. However, by exchanging ssh keys the
user is never fully authenticated on the domain, so there is no
access to network drives. Is there any other way to have
passwordless ssh access yet still be fully authenticated on the
domain? I thought starting the service as a domain user would
accomplish this, but alas, I have not been able to do that. So if
there is any other way to achieve our goal, I'd be happy to try it.
Thanks,
Alfred
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: How do I run sshd as a particular user?
2008-04-02 13:12 ` Alfred von Campe
@ 2008-04-02 13:27 ` Corinna Vinschen
2008-04-02 17:56 ` Alfred von Campe
2008-04-11 15:49 ` Alfred von Campe
0 siblings, 2 replies; 16+ messages in thread
From: Corinna Vinschen @ 2008-04-02 13:27 UTC (permalink / raw)
To: cygwin
On Apr 2 09:11, Alfred von Campe wrote:
> On Mar 28, 2008, at 11:28, Dave Korn wrote:
>> Alfred von Campe wrote on 28 March 2008 12:30:
>>
>>> I have tried various ways to get the sshd service started as a domain
>>> user (instead of the default local user "sshd_server") and can not
>>> get it to work. What is the correct syntax to specify a domain user
>>> with cygrunsrv? This is what I have tried:
>>>
>>> cygrunsrv -I sshd -u "DOMAINNAME\USERNAME" -w PASSWORD -d "CYGWIN
>>> sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=bin tty smbntsec" -y tcpip
>>[...]
> I thought starting the service as a domain
> user would accomplish this, but alas, I have not been able to do that. So
> if there is any other way to achieve our goal, I'd be happy to try it.
Did you try anything besides switching the user? For instance:
- Did you check the event log?
- Did you check /var/run/sshd.log? If it's empty it's probably because
the domain user has no write permission.
- Does the domain user have an entry in the local /etc/passwd? sshd
needs that when checking file ownership. And it allows to specify the
user to cygrunsrv without the "domain\win_username" syntax.
- Did you chown /etc/ssh* and /var/empty to the domain user when trying
to start the service under that account? That's a must have.
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Red Hat
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: How do I run sshd as a particular user?
2008-04-02 13:27 ` Corinna Vinschen
@ 2008-04-02 17:56 ` Alfred von Campe
2008-04-03 8:45 ` Corinna Vinschen
2008-04-11 15:49 ` Alfred von Campe
1 sibling, 1 reply; 16+ messages in thread
From: Alfred von Campe @ 2008-04-02 17:56 UTC (permalink / raw)
To: cygwin
On Apr 2, 2008, at 9:27, Corinna Vinschen wrote:
>
> Did you try anything besides switching the user? For instance:
>
> - Did you check the event log?
Yes, did not find anything useful.
> - Did you check /var/run/sshd.log? If it's empty it's probably
> because
> the domain user has no write permission.
No, I did not.
> - Does the domain user have an entry in the local /etc/passwd? sshd
> needs that when checking file ownership. And it allows to
> specify the
> user to cygrunsrv without the "domain\win_username" syntax.
Well, there is an entry for a user of the same name. Is that enough
or is there a way to specify the fact that it's a domain user?
> - Did you chown /etc/ssh* and /var/empty to the domain user when
> trying
> to start the service under that account? That's a must have.
No, I did not know about this either. I will try these suggestions
as soon as I get a chance, but that might not be until I return to
the office next week. A quick question, though. Instead of making
all these changes, is there a better way to (re-)install Cygwin sshd
so that it is properly set up for a domain user?
Alfred
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: How do I run sshd as a particular user?
2008-04-02 17:56 ` Alfred von Campe
@ 2008-04-03 8:45 ` Corinna Vinschen
0 siblings, 0 replies; 16+ messages in thread
From: Corinna Vinschen @ 2008-04-03 8:45 UTC (permalink / raw)
To: cygwin
On Apr 2 13:55, Alfred von Campe wrote:
> On Apr 2, 2008, at 9:27, Corinna Vinschen wrote:
>> - Does the domain user have an entry in the local /etc/passwd? sshd
>> needs that when checking file ownership. And it allows to specify the
>> user to cygrunsrv without the "domain\win_username" syntax.
>
> Well, there is an entry for a user of the same name. Is that enough or is
> there a way to specify the fact that it's a domain user?
The SID in the pw_gecos field must match. When in doubt, try
mkpasswd -d -u username.
>> - Did you chown /etc/ssh* and /var/empty to the domain user when trying
>> to start the service under that account? That's a must have.
>
> No, I did not know about this either. I will try these suggestions as soon
> as I get a chance, but that might not be until I return to the office next
> week. A quick question, though. Instead of making all these changes, is
> there a better way to (re-)install Cygwin sshd so that it is properly set
> up for a domain user?
No, that's not supported by the install scripts.
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Red Hat
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: How do I run sshd as a particular user?
2008-04-02 13:27 ` Corinna Vinschen
2008-04-02 17:56 ` Alfred von Campe
@ 2008-04-11 15:49 ` Alfred von Campe
2008-04-11 21:24 ` Alfred von Campe
1 sibling, 1 reply; 16+ messages in thread
From: Alfred von Campe @ 2008-04-11 15:49 UTC (permalink / raw)
To: cygwin
On Apr 2, 2008, at 9:27, Corinna Vinschen wrote:
> - Did you check /var/run/sshd.log? If it's empty it's probably
> because
> the domain user has no write permission.
>
> - Does the domain user have an entry in the local /etc/passwd? sshd
> needs that when checking file ownership. And it allows to
> specify the
> user to cygrunsrv without the "domain\win_username" syntax.
>
> - Did you chown /etc/ssh* and /var/empty to the domain user when
> trying
> to start the service under that account? That's a must have.
It's taken me a while to get to this, but changing the above
mentioned permissions did the trick. I can now log on and access
network shares! This will make the build engineers' lives a lot
easier. Thank you for a great product and for all the help on this
list!
Well, I spoke a little too soon. I got this working on two systems,
but can not get it to work on a third. The ssh daemon appears to
start (neither cygrunsrv -S nor starting it from the Services Panel
gives an error), but it really does not. The Event Viewer
Application log shows the following:
The description for Event ID ( 0 ) in Source ( sshd ) cannot be
found. The local
computer may not have the necessary registry information or
message DLL files to
display messages from a remote computer. You may be able to use
the /AUXSOURCE=
flag to retrieve this description; see Help and Support for
details. The following
information is part of the event: sshd: PID 2920: service `sshd'
failed: signal 11
raised.
Any ideas what could be raising signal 11 (SIGSEGV) and how I would
go about debugging this? ssh access was working to this machine
before I changed the file system permissions and the account
information for the sshd service.
Alfred
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: How do I run sshd as a particular user?
2008-04-11 15:49 ` Alfred von Campe
@ 2008-04-11 21:24 ` Alfred von Campe
2008-04-12 0:47 ` Robert McKay
0 siblings, 1 reply; 16+ messages in thread
From: Alfred von Campe @ 2008-04-11 21:24 UTC (permalink / raw)
To: cygwin
On Apr 11, 2008, at 11:48, I wrote:
> Well, I spoke a little too soon. I got this working on two
> systems, but can not get it to work on a third. The ssh daemon
> appears to start (neither cygrunsrv -S nor starting it from the
> Services Panel gives an error), but it really does not.
I managed to solve this by rebooting the system and re-running ssh-
host-config (and then changing permissions, etc.). I now have all
three build systems working as expected.
Thanks again for all the help,
Alfred
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: How do I run sshd as a particular user?
2008-04-11 21:24 ` Alfred von Campe
@ 2008-04-12 0:47 ` Robert McKay
2008-04-12 9:33 ` Corinna Vinschen
0 siblings, 1 reply; 16+ messages in thread
From: Robert McKay @ 2008-04-12 0:47 UTC (permalink / raw)
To: cygwin
On Fri, Apr 11, 2008 at 8:22 PM, Alfred von Campe <alfred@von-campe.com> wrote:
> On Apr 11, 2008, at 11:48, I wrote:
>
>
> > Well, I spoke a little too soon. I got this working on two systems, but
> can not get it to work on a third. The ssh daemon appears to start (neither
> cygrunsrv -S nor starting it from the Services Panel gives an error), but it
> really does not.
> >
>
> I managed to solve this by rebooting the system and re-running
> ssh-host-config (and then changing permissions, etc.). I now have all three
> build systems working as expected.
>
> Thanks again for all the help,
I'm a bit late to this discussion.. I set this up a while ago and one
interesting thing that I noticed is that you can:
net use \\whatever /user:domain\user
instead of
net use x: \\whatever /user:domain\user
(ie: without specifying a drive letter).
If you don't specify a drive letter then it works even when you are
logged in without a password. Taking this one step further, you can
make a symlink
ln -s '\\whatever' /remotefilesystem
and then just access files in /remotefilesystem instead of /cygdrive/X
This pretty much solved the issue of accessing network drives when
logged in without a password.
Later a requirement was introduced that we run sshd as an unprivileged
user and so I switched to having a service that logs in with a
password as you are now doing.
In order to run sshd as an unprivileged user I had to use a nasty
hexedit hack on the sshd.exe file to replace the seteuid() call (which
fails / returns -1 without admin privileges and causes sshd to exit)
with a call to isalpha() which has (almost) the same function
prototype, but always returns 0 unless your userid 'is an alphanumeric
charater' :)
If you run without admin privileges sshd can't actually verify
passwords for passworded logins, but ssh keys seemed to work just fine
which is what we wanted anyway. Obviously you can only log in as that
one user that's running ssh, but again this was acceptable.
Rob.
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: How do I run sshd as a particular user?
2008-04-12 0:47 ` Robert McKay
@ 2008-04-12 9:33 ` Corinna Vinschen
2008-04-13 2:51 ` Robert McKay
0 siblings, 1 reply; 16+ messages in thread
From: Corinna Vinschen @ 2008-04-12 9:33 UTC (permalink / raw)
To: cygwin
On Apr 12 01:11, Robert McKay wrote:
> In order to run sshd as an unprivileged user I had to use a nasty
> hexedit hack on the sshd.exe file to replace the seteuid() call (which
> fails / returns -1 without admin privileges and causes sshd to exit)
> with a call to isalpha() which has (almost) the same function
> prototype, but always returns 0 unless your userid 'is an alphanumeric
> charater' :)
Aaaaargh!
I don't know what you're doing wrong but this is *totally* unnecessary.
You can run sshd as unprivileged user without having to change the
sshd code. You can do this while another sshd is running on
port 22 under a privileged account. What the user has to do is to create
her own sshd_config file and own host keys. If no other sshd is running
on the machine, just chown the host key files in /etc and switch off
privilege separation in /etc/sshd_config.
For kicks I just tried it. What I did:
$ uname -a
CYGWIN_NT-6.0 vmbert2k8 1.5.25(0.156/4/2) 2008-03-06 17:01 i686 Cygwin
$ id
uid=1004(hein) gid=513(None) groups=513(None),545(Users)
$ pwd
/home/hein
$ mkdir -p etc var/run
$ cp /etc/sshd_config etc
$ vi etc/sshd_config
[Set `Port 2022']
[Set `HostKey /home/hein/etc/ssh_host_rsa_key']
[Set `UsePrivilegeSeparation no']
[Set `PidFile /home/hein/var/run/sshd.pid']
[:wq!]
$ ssh-keygen -t rsa -f /home/hein/etc/ssh_host_rsa_key -N ''
Generating public/private rsa key pair.
Your identification has been saved in /home/hein/etc/ssh_host_rsa_key.
Your public key has been saved in /home/hein/etc/ssh_host_rsa_key.pub.
The key fingerprint is:
02:5d:02:5d:e8:2e:c6:b9:4c:d9:93:6c:13:ef:5d:61 hein@vmbert2k8
$ /usr/sbin/sshd -f sshd_config -D
Then, from another machine:
$ uname -a
Linux calimero 2.6.23.17-LL #1 SMP Tue Mar 25 11:21:47 CET 2008 x86_64 x86_64 x86_64 GNU/Linux
$ ssh -l hein -p 2022 vmbert2k8
hein@vmbert2k8's password:
Fanfare!!!
You are successfully logged in to this server!!!
hein@vmbert2k8
$
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Red Hat
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: How do I run sshd as a particular user?
2008-04-12 9:33 ` Corinna Vinschen
@ 2008-04-13 2:51 ` Robert McKay
2008-04-13 13:07 ` Corinna Vinschen
0 siblings, 1 reply; 16+ messages in thread
From: Robert McKay @ 2008-04-13 2:51 UTC (permalink / raw)
To: cygwin
On Sat, Apr 12, 2008 at 10:06 AM, Corinna Vinschen
<corinna-cygwin@cygwin.com> wrote:
> On Apr 12 01:11, Robert McKay wrote:
> > In order to run sshd as an unprivileged user I had to use a nasty
> > hexedit hack on the sshd.exe file to replace the seteuid() call (which
> > fails / returns -1 without admin privileges and causes sshd to exit)
> > with a call to isalpha() which has (almost) the same function
> > prototype, but always returns 0 unless your userid 'is an alphanumeric
> > charater' :)
>
> Aaaaargh!
>
> I don't know what you're doing wrong but this is *totally* unnecessary.
> You can run sshd as unprivileged user without having to change the
> sshd code. You can do this while another sshd is running on
> port 22 under a privileged account. What the user has to do is to create
> her own sshd_config file and own host keys. If no other sshd is running
> on the machine, just chown the host key files in /etc and switch off
> privilege separation in /etc/sshd_config.
Interesting.. are you sure your account doesn't have the allow replace
process token privilege?
I'll take another look this when I get the chance.. perhaps sshd has
changed in some way.
Cheers,
Rob.
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: How do I run sshd as a particular user?
2008-04-13 2:51 ` Robert McKay
@ 2008-04-13 13:07 ` Corinna Vinschen
0 siblings, 0 replies; 16+ messages in thread
From: Corinna Vinschen @ 2008-04-13 13:07 UTC (permalink / raw)
To: cygwin
On Apr 13 03:27, Robert McKay wrote:
> On Sat, Apr 12, 2008 at 10:06 AM, Corinna Vinschen
> <corinna-cygwin@cygwin.com> wrote:
http://cygwin.com/acronyms/#PCYMTNQREAIYR
> > On Apr 12 01:11, Robert McKay wrote:
> > > In order to run sshd as an unprivileged user I had to use a nasty
> > > hexedit hack on the sshd.exe file to replace the seteuid() call (which
> > > fails / returns -1 without admin privileges and causes sshd to exit)
> > > with a call to isalpha() which has (almost) the same function
> > > prototype, but always returns 0 unless your userid 'is an alphanumeric
> > > charater' :)
> >
> > Aaaaargh!
> >
> > I don't know what you're doing wrong but this is *totally* unnecessary.
> > You can run sshd as unprivileged user without having to change the
> > sshd code. You can do this while another sshd is running on
> > port 22 under a privileged account. What the user has to do is to create
> > her own sshd_config file and own host keys. If no other sshd is running
> > on the machine, just chown the host key files in /etc and switch off
> > privilege separation in /etc/sshd_config.
>
> Interesting.. are you sure your account doesn't have the allow replace
> process token privilege?
Yes. The account was created as standard user account for the purpose of
testing Cygwin with non-privileged user accounts.
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Red Hat
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 16+ messages in thread
end of thread, other threads:[~2008-04-13 9:49 UTC | newest]
Thread overview: 16+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2008-02-27 11:57 How do I run sshd as a particular user? Alfred von Campe
2008-02-27 12:40 ` Larry Hall (Cygwin)
2008-03-26 20:35 ` Alfred von Campe
2008-03-28 15:28 ` Alfred von Campe
2008-03-28 16:07 ` Larry Hall (Cygwin)
2008-03-28 17:05 ` Dave Korn
2008-04-02 13:12 ` Alfred von Campe
2008-04-02 13:27 ` Corinna Vinschen
2008-04-02 17:56 ` Alfred von Campe
2008-04-03 8:45 ` Corinna Vinschen
2008-04-11 15:49 ` Alfred von Campe
2008-04-11 21:24 ` Alfred von Campe
2008-04-12 0:47 ` Robert McKay
2008-04-12 9:33 ` Corinna Vinschen
2008-04-13 2:51 ` Robert McKay
2008-04-13 13:07 ` Corinna Vinschen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).