Re: ssh to Cygwin sshd - command with bat file fails when trust established but works with password authentication

Re: ssh to Cygwin sshd - command with bat file fails when trust established but works with password authentication

[Jeffrey Lightner]

Thanks.

I've done the passwd -R and re-established the trust.   Once the user retests with the trust I'll let you know how it goes.

The comment in the article about only System users being able to list the registry entries doesn't mean it will ignore the "passwd -R" done for a non-Administrative user (by an Administrative account of course) does it?   At present the remote Windows user is a local Administrative user but of course we plan to lock that down some after other testing pans out.

--- Stromeko@nexgo.de wrote:

From: Achim Gratz <Stromeko@nexgo.de>
To: cygwin@cygwin.com
Subject: Re: ssh to Cygwin sshd - command with bat file fails when trust established but works with password authentication
Date: Tue, 06 Sep 2016 19:59:47 +0200

Jeffrey Lightner writes:
> The weirdness is that this failure only occurs when we call it using
> ssh trust to make the connection. If we make the connection without a
> trust so that it prompts for the OS level password the bat file then
> executes correctly including its application level login.

That most likely means that this application needs network access.  If
you log in via public key and don't have a password stored in registry
via 'passwd -R' and cygserver running to use it, then you won't have any
access rights to non-local resources.

https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview

If all you need is indeed to run one script, you might alternatively be
able to set up a service that starts under a network user and just runs
that script when triggered by your remote user login in via ssh.


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

Factory and User Sound Singles for Waldorf Q+, Q and microQ:
http://Synth.Stromeko.net/Downloads.html#WaldorfSounds

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple




--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: ssh to Cygwin sshd - command with bat file fails when trust established but works with password authentication

[Jeffrey Lightner]

Thanks again.

The user reports the bat file worked without issue after I did the "passwd -R" and re-established the trust.

--- jclightner@copper.net wrote:

From: "Jeffrey Lightner" <jclightner@copper.net>
To: "Achim Gratz" <Stromeko@nexgo.de>
Cc: <cygwin@cygwin.com>
Subject: Re: ssh to Cygwin sshd - command with bat file fails when trust established but works with password authentication
Date: Tue, 6 Sep 2016 11:39:01 -0700

Thanks.

I've done the passwd -R and re-established the trust.   Once the user retests with the trust I'll let you know how it goes.

The comment in the article about only System users being able to list the registry entries doesn't mean it will ignore the "passwd -R" done for a non-Administrative user (by an Administrative account of course) does it?   At present the remote Windows user is a local Administrative user but of course we plan to lock that down some after other testing pans out.

--- Stromeko@nexgo.de wrote:

From: Achim Gratz <Stromeko@nexgo.de>
To: cygwin@cygwin.com
Subject: Re: ssh to Cygwin sshd - command with bat file fails when trust established but works with password authentication
Date: Tue, 06 Sep 2016 19:59:47 +0200

Jeffrey Lightner writes:
> The weirdness is that this failure only occurs when we call it using
> ssh trust to make the connection. If we make the connection without a
> trust so that it prompts for the OS level password the bat file then
> executes correctly including its application level login.

That most likely means that this application needs network access.  If
you log in via public key and don't have a password stored in registry
via 'passwd -R' and cygserver running to use it, then you won't have any
access rights to non-local resources.

https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview

If all you need is indeed to run one script, you might alternatively be
able to set up a service that starts under a network user and just runs
that script when triggered by your remote user login in via ssh.


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

Factory and User Sound Singles for Waldorf Q+, Q and microQ:
http://Synth.Stromeko.net/Downloads.html#WaldorfSounds

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple




--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple




--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: ssh to Cygwin sshd - command with bat file fails when trust established but works with password authentication

[Achim Gratz]

Jeffrey Lightner writes:
> The weirdness is that this failure only occurs when we call it using
> ssh trust to make the connection. If we make the connection without a
> trust so that it prompts for the OS level password the bat file then
> executes correctly including its application level login.

That most likely means that this application needs network access.  If
you log in via public key and don't have a password stored in registry
via 'passwd -R' and cygserver running to use it, then you won't have any
access rights to non-local resources.

https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview

If all you need is indeed to run one script, you might alternatively be
able to set up a service that starts under a network user and just runs
that script when triggered by your remote user login in via ssh.


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

Factory and User Sound Singles for Waldorf Q+, Q and microQ:
http://Synth.Stromeko.net/Downloads.html#WaldorfSounds

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

ssh to Cygwin sshd - command with bat file fails when trust established but works with password authentication

[Jeffrey Lightner]

Hi all,

We recently setup Cygwin (uname –a shows CYGWIN_NT-6.1 ATMEPD01 2.5.2(0.297/5/3) 2016-06-23 14:29 x86_64 Cygwin)  and configured its sshd on one of our Windows 2008 R2 (SP1) servers.   The idea is to allow one of our Linux (RHEL6.8) servers to run a bat file on the Windows server via ssh from a Linux scheduled cron job. Since this will be automated from the Linux side I setup standard ssh trust from the Linux user to a Windows user. Testing the trust verified it works and can be used to login without password and to remotely  execute Windows bat files.

The problem is that there is a specific bat file that is failing when the command it calls tries to "login" to the Essbase application (i.e. not OS level login) but appears to be running the other commands in the bat file properly.

The weirdness is that this failure only occurs when we call it using ssh trust to make the connection. If we make the connection without a trust so that it prompts for the OS level password the bat file then executes correctly including its application level login.

This suggests there is some environmental difference when ssh logs in with a password vs when it connects with a trust. I've checked the "set" and "env" Linux commands output on the Windows user after login as well as the DOS "set" command output and there is no difference between them when logged in via trust vs logged in via password.

To reiterate the "login" that is failing is something with the application not the OS user. The OS user logs in successfully either way. Calling the bat file works either way – it is only this application "login" that is failing from within the bat file and only when done via ssh trust.

I also found sshpass allows one to feed the OS level password to the ssh call and using that from the RHEL6.8 server also works when I call the bat file on the Windows. This reinforces the idea of an environmental difference between password login and trust connection. 

Has anyone seen this kind of behavior before and if so can you share what you did to resolve it for trusts?

I did search the web and the archives but most hits come up simply to explain how to establish a trust vs using password authentication but that isn’t my problem because the trust itself does work.   Also of course there are many guides talking about how to setup sshd in Cygwin.   Since I can connect via ssh I know sshd is running properly.   I’ve been using ssh on Linux and UNIX for years.  I’ve also been using Cygwin on Windows laptops for years but this is the first time I’m using its sshd and I’ll admit I’m stumped on this one.   It doesn’t seem it should care which way I got logged in (password vs trust) once I actually am logged in but clearly it does care.