sshd in a domain

sshd in a domain

[Robert Jacobson]

I need some help to get sshd working so that when I login using
public-key auth to my domain account (which has local administrator
privileges), it actually has the Adminisitrator privs.

The platform is Windows XP Pro, joined to a domain.

C. Vinschen already kindly pointed me to the FAQ, here:
http://cygwin.com/faq/faq-nochunks.html#faq.using.sshd-in-domain

but I think I'm missing something about the setup, or done it wrong.

I created a domain account, we'll call it "cyg_server" for convenience.

I have a GPO that defines the "cyg_server" User Right Assignments so
that it can "Act as part of the operating system", "Act as part of the
operating system", and "Replace a process level token".  I also placed
cyg_server in the local Administrators group.

I've confirmed the GPO is applied successfully.  The cyg_server account
appears in the correct areas when I look at "gpedit.msc".

Where I think I'm failing is the setup for ssh-host-config.  I tried:

	ssh-host-config -u cyg_server -p 'password' --privileged

First, I'm warned that I don't need a privileged account because I'm not
running W2k3, Vista, etc.  (The FAQ specifically says to use a different
account, so this seems contradictory, yes?)

Also, I get:
*** Warning: Privileged account 'cyg_server' was specified,
*** Warning: but it does not have the necessary privileges.
*** Warning: Continuing, but will probably use a different account.
*** Warning: The specified account 'cyg_server' does not have the
*** Warning: required permissions or group memberships. This may
*** Warning: cause problems if not corrected; continuing...

It installed the service, but the service did not start, due to a login
failure.

I can login to the account using
	runas /user:domain\cyg_server cmd
just fine.  I'm sure the password I specified was correct.

I opened the Service configuration GUI, and just in case, I pasted the
password into the proper spot.  The GUI responded with (paraphrase)
	"cyg_server" has been granted the "Logon as a service" right.

The service then started successfully.  So, did I miss something, or
does that mean the FAQ should include "Logon as a service" in the needed
user rights?

In any case, although the service now starts successfully (running under
the cyg_server account), when I login via SSH (either password OR public
key), I do NOT have Administrator privileges; i.e. according to the 'id'
commmand, I'm not in group "544(Administrators)".  I'm not even in the
regular "Users" group!

Obviously I've done something wrong...  Help, please!

-- 
Robert Jacobson
#include std_disclaimer.h

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: sshd in a domain

[Robert Jacobson]

On 6/24/2010 9:24 AM, Robert Jacobson  |cygwin/Example Allow| wrote:
> I need some help to get sshd working so that when I login using
> public-key auth to my domain account (which has local administrator
> privileges), it actually has the Adminisitrator privs.
>
> The platform is Windows XP Pro, joined to a domain.
>
> C. Vinschen already kindly pointed me to the FAQ, here:
> http://cygwin.com/faq/faq-nochunks.html#faq.using.sshd-in-domain
>
> but I think I'm missing something about the setup, or done it wrong.
>
> I created a domain account, we'll call it "cyg_server" for convenience.
>
> I have a GPO that defines the "cyg_server" User Right Assignments so
> that it can "Act as part of the operating system", "Act as part of the
> operating system", and "Replace a process level token".  I also placed
> cyg_server in the local Administrators group.
>
> I've confirmed the GPO is applied successfully.  The cyg_server account
> appears in the correct areas when I look at "gpedit.msc".
>
> Where I think I'm failing is the setup for ssh-host-config.  I tried:
>
> 	ssh-host-config -u cyg_server -p 'password' --privileged
>
> First, I'm warned that I don't need a privileged account because I'm not
> running W2k3, Vista, etc.  (The FAQ specifically says to use a different
> account, so this seems contradictory, yes?)
>
> Also, I get:
> *** Warning: Privileged account 'cyg_server' was specified,
> *** Warning: but it does not have the necessary privileges.
> *** Warning: Continuing, but will probably use a different account.
> *** Warning: The specified account 'cyg_server' does not have the
> *** Warning: required permissions or group memberships. This may
> *** Warning: cause problems if not corrected; continuing...
>
> It installed the service, but the service did not start, due to a login
> failure.
>
> I can login to the account using
> 	runas /user:domain\cyg_server cmd
> just fine.  I'm sure the password I specified was correct.
>
> I opened the Service configuration GUI, and just in case, I pasted the
> password into the proper spot.  The GUI responded with (paraphrase)
> 	"cyg_server" has been granted the "Logon as a service" right.
>
> The service then started successfully.  So, did I miss something, or
> does that mean the FAQ should include "Logon as a service" in the needed
> user rights?
>
> In any case, although the service now starts successfully (running under
> the cyg_server account), when I login via SSH (either password OR public
> key), I do NOT have Administrator privileges; i.e. according to the 'id'
> commmand, I'm not in group "544(Administrators)".  I'm not even in the
> regular "Users" group!
>
> Obviously I've done something wrong...  Help, please!
>

I'm responding to my own post -- from nearly a year ago -- because I
finally learned how to configure sshd so that I get the right
permissions for my administrator account.

The fix was simple -- I just ran "cyglsa-config" and rebooted.  I had no
idea "cyglsa" existed until I tried to get cron working the other day
and saw it in a follow-up post.

The "id" command now shows the exact same output in the console terminal
and when I login via SSH.

I propose that you add this to the FAQ at:
  http://cygwin.com/faq/faq-nochunks.html#faq.using.sshd-in-domain
possibly with a note about the necessity of rebooting after cygwin
updates if you use cyglsa.

Is there some reason (other than the reboot-after-cygwin-update
requirement) that  "ssh-host-config" doesn't automatically run
cyglsa-config as well?  Or at least warn you that you won't get the
right group membership without it?

-- 

Robert Jacobson               



--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: sshd in a domain

[Corinna Vinschen]

On May  5 07:57, Robert Jacobson wrote:
> Is there some reason (other than the reboot-after-cygwin-update
> requirement) that  "ssh-host-config" doesn't automatically run
> cyglsa-config as well?

Yes, because it installs a kind of driver into the OS and it's not
really necessary in all circumstances.  It depends on what you need, and
your personal taste of intrusiveness and security.  See the User's Guide
at http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple