* Re: ssh-host-setup is adding user to Deny Terminal Services login
@ 2008-12-16 10:01 Paul Keeble
2008-12-16 10:19 ` Corinna Vinschen
0 siblings, 1 reply; 4+ messages in thread
From: Paul Keeble @ 2008-12-16 10:01 UTC (permalink / raw)
To: cygwin
> > The user who runs the ssh-host-setup command is being denied terminal
> > services login, which when you are running the setup over terminal
> > services is a bit of a worry! I don't get kicked off the moment it
> > happens but it needs manually correctly before log out or access to
> > the box remotely will be lost.
> The script denies access to the user running the service, not the user
> running ssh-host-config. Hopefully you don't use the service starter
> account for normal logon purposes.
Alas I don't know of any other way to get what I need done. In order to support an automated system login we use an SSH key based login rather than passwords. This unfortunately means that there is no "real" login, the user does not have access to the network drives and that is kind of essential for what we are doing. The only workaround I have found is to have privelege separation off and have the sshd service be the same user as the login. That way the priveleges are passed to the logged in shell and it works. The only time the password is necessary is when the install is done or the password is changed. The remaining problem is terminal services being disabled, which although undoable is a bit of a pain to do across hundreds of machines.
If there is another way to get key based logins and network access (real logins) working then that would be great to know about. Otherwise a way to workaround to stop ssh-host-config from disabling terminal services for that user would also be useful.
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: ssh-host-setup is adding user to Deny Terminal Services login
2008-12-16 10:01 ssh-host-setup is adding user to Deny Terminal Services login Paul Keeble
@ 2008-12-16 10:19 ` Corinna Vinschen
0 siblings, 0 replies; 4+ messages in thread
From: Corinna Vinschen @ 2008-12-16 10:19 UTC (permalink / raw)
To: cygwin
On Dec 16 10:00, Paul Keeble wrote:
> > The script denies access to the user running the service, not the user
> > running ssh-host-config. Hopefully you don't use the service starter
> > account for normal logon purposes.
>
> Alas I don't know of any other way to get what I need done. In order
> to support an automated system login we use an SSH key based login
> rather than passwords. This unfortunately means that there is no
> "real" login, the user does not have access to the network drives and
> that is kind of essential for what we are doing. The only workaround I
> have found is to have privelege separation off and have the sshd
> service be the same user as the login. That way the priveleges are
> passed to the logged in shell and it works. The only time the password
> is necessary is when the install is done or the password is changed.
> The remaining problem is terminal services being disabled, which
> although undoable is a bit of a pain to do across hundreds of
> machines.
This is a non-default scenario which isn't supported by ssh-host-config.
> If there is another way to get key based logins and network access
> (real logins) working then that would be great to know about.
Not in Cygwin 1.5.x. In Cygwin 1.7, yes.
See http://cygwin.com/1.7/cygwin-ug-net/ntsec.html#ntsec-setuid-overview
> Otherwise a way to workaround to stop ssh-host-config from disabling
> terminal services for that user would also be useful.
Just remove the offending line from the csih helper script
/usr/share/csih/cygwin-service-installation-helper.sh
editrights -a SeDenyRemoteInteractiveLogonRight -u ${username} &&
Maybe we should remove this in the distro as well, but we're trying to
make it safe. Using this account is quite dangerous, as you should
know. It has been given very serious privileges by the ssh-host-config
script. In your scenario, where you run sshd using the same account
which you're logging in to, you should install the service manually
without ssh-host-config. Otherwise your logon account is practically
allmighty.
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Red Hat
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: ssh-host-setup is adding user to Deny Terminal Services login
2008-12-15 11:48 Paul Keeble
@ 2008-12-15 13:03 ` Corinna Vinschen
0 siblings, 0 replies; 4+ messages in thread
From: Corinna Vinschen @ 2008-12-15 13:03 UTC (permalink / raw)
To: cygwin
On Dec 15 11:47, Paul Keeble wrote:
> The user who runs the ssh-host-setup command is being denied terminal
> services login, which when you are running the setup over terminal
> services is a bit of a worry! I don't get kicked off the moment it
> happens but it needs manually correctly before log out or access to
> the box remotely will be lost.
The script denies access to the user running the service, not the user
running ssh-host-config. Hopefully you don't use the service starter
account for normal logon purposes.
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Red Hat
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 4+ messages in thread
* ssh-host-setup is adding user to Deny Terminal Services login
@ 2008-12-15 11:48 Paul Keeble
2008-12-15 13:03 ` Corinna Vinschen
0 siblings, 1 reply; 4+ messages in thread
From: Paul Keeble @ 2008-12-15 11:48 UTC (permalink / raw)
To: cygwin
The user who runs the ssh-host-setup command is being denied terminal services login, which when you are running the setup over terminal services is a bit of a worry! I don't get kicked off the moment it happens but it needs manually correctly before log out or access to the box remotely will be lost.
Environment
Cygwin setup - 2.573.2.2
openssh - 5.1p1-9
openssl - 0.9.8i-1
Windows 2003 server
Steps to reproduce
run ssh-host-config. Don't use privelege separation, do install sshd as a service, keep the settings to just ntsec and enter the account to create as the current user.
The problem can be confirmed by using gpedit.msc and finding the Deny Terminal Services login group - the current user account will now be listed when it was not before.
Is it necessary to block terminal service access for the running user and if so why?
If its not is there a workaround I could use so this does not happen when running ssh-host-config?
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2008-12-16 10:19 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2008-12-16 10:01 ssh-host-setup is adding user to Deny Terminal Services login Paul Keeble
2008-12-16 10:19 ` Corinna Vinschen
-- strict thread matches above, loose matches on Subject: below --
2008-12-15 11:48 Paul Keeble
2008-12-15 13:03 ` Corinna Vinschen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).