From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wm1-x336.google.com (mail-wm1-x336.google.com [IPv6:2a00:1450:4864:20::336]) by sourceware.org (Postfix) with ESMTPS id 92E973858C27 for ; Sat, 19 Dec 2020 22:53:07 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 92E973858C27 Received: by mail-wm1-x336.google.com with SMTP id r4so6979795wmh.5 for ; Sat, 19 Dec 2020 14:53:07 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-language; bh=cYYyd4xX0PCYg8VIJUSgqQNNa5NDqHFjPBxI0RkeGt8=; b=CcM9Dq0KTMNXlfIrAGmjKjnCHBYXMgVXBaCIOe39t+e10y3oduMECXTd9pB8L5DaMu R9QT8DV8wWPMziV6JX5mlSf4P0TYVLem6i+c4UXX1I4vtcYiOvcoJnNx5gMBHChEdxXV KSBwl95VB1yTww640gUYks6jnyOpynOyabLuLlg7DI+JOuU2uhXsEVUf0bsb91AXyIob vX9OWVmbw+NsoxTrSJwiQOXKh2WiYsyTxlMppmI3C8aGoPO4RJ+jnsI5I7AX7Xq+1cS4 i4Ib9aIdnZy9/bk9tO+zRrV2wZxEZS1fvBPwbScgzl/25amdJJ8xz/s46wxjbsXbGliF M7+g== X-Gm-Message-State: AOAM532b+U15ndX6NB1YyirKe9aK9Yfecd72ADSPtgjgKgFA1fC34tue i3TGCang2vlifX71VQkqiC5vJxSvRWb7CA== X-Google-Smtp-Source: ABdhPJwkfSNUGgJcZEKYQEIhYt48sowWlbvbLpdIv8XYw7MssrC4Z3elgxoNtr2s/FJdRnTbAisy9A== X-Received: by 2002:a1c:204e:: with SMTP id g75mr9876469wmg.100.1608418386244; Sat, 19 Dec 2020 14:53:06 -0800 (PST) Received: from [172.16.3.50] (net-188-219-105-237.cust.vodafonedsl.it. [188.219.105.237]) by smtp.gmail.com with ESMTPSA id l1sm20884332wrq.64.2020.12.19.14.53.05 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 19 Dec 2020 14:53:05 -0800 (PST) To: cygwin@cygwin.com From: Nicola Mingotti Subject: Can't ssh to a Cygwin machine in the Windows domain -- seteuid Message-ID: <2a6c0dd1-98f0-ddf3-008f-3770aad3c59d@gmail.com> Date: Sat, 19 Dec 2020 23:53:04 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0 MIME-Version: 1.0 Content-Language: en-US X-Spam-Status: No, score=-1.8 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, HTML_MESSAGE, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: cygwin@cygwin.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: General Cygwin discussions and problem reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Dec 2020 22:53:09 -0000 Hi, I would like to run Cygwin ssh in a few computers in a Windows Domain. The DC is Samba, running in Debian 10. I found several issues. Lastly I decided to follow a guide, this: https://microtechnology-services.github.io/2016/04/29/cygwin-sshd-on-windows-domain.html It did not go well, so I followed partially another document, it is not specific for the domain, but it is very recent, this: https://www.softwareab.net/wordpress/cygwin-sshd-pubkey-authentication/ Still, I can't make it work after about 2 days of struggling. This is what I did. 1] Install Cygwin, the usual way (i did it more then once). Install packages openssh and ruby. 2] Prepare a user "cyg_server" in the Windows domain 3] set a GPO in the domain, giving "cyg_server" these attributes: . act as part of the operating system . create a token object . log on as a service . replace a process level token . deny access to this computer from the network . deny log on through Remote Destop Services 4] Open Cygwin as "Administrator" and stop cygsshd to remove a complexity layer, I want to run "sshd" by hand and see error logs. cy adm> cygrunsrv.exe --stop cygsshd 5] Copy as administrator the ssh* files in /etc to a /home/cyg_server/myEtc/ and make 'cyg_server' the owner 6] Open a shell Cygwin with "Run as different user", the user is: 'cyg_server' 7] In this new shell I run the command: cy>  /usr/sbin/sshd.exe -ddd -f /home/cyg_server/myEtc/sshd_config 8] Move to another machine, a Linux, outside the domain and run a command similar to what follows. 'domus' is the name of the machine running the cygwin sshd server, it is in the windows domain called 'WINDOM'. 'nicola' is a Domain User in Windom. $> ssh nicola@domus The output I see from point [7] is: ---------- ... debug3: send packet: type 51 [preauth] debug3: receive packet: type 50 [preauth] debug1: userauth-request for user nicola service ssh-connection method publickey [preauth] debug1: attempt 1 failures 0 [preauth] debug2: input_userauth_request: try method publickey [preauth] debug2: userauth_pubkey: valid user nicola querying public key rsa-sha2-512 AAAAB3NzaC1yc2EAAAADAQABAAABAQCoEX3G1bjNTD17IoXtl3MQU/ImtuetRZpm60BL/GmpG2JvT3TfQH1lqoXR1jY2pdOYRdskN+KQk3ob+2E31xL7PUFd1/h6IIYzNceDS/lD/oeDMkWm4u54M1VBiIRqdSgXAc7Vce34yZTuuHOLk/ZE3ozgln0Asz98+cXA8gy+mohXY/0+Rkr0XHwhU1nRhTnG4sWqByeZ0zmD5m3wXyFfxq4ih3hf+sAarrGQk5IIpl3SYvMu5gvF3q/7s5Kx5brlxH7BnAob7NTPYyC6we1L/D+gsFkHjTffefU62TTjZy+7HC6FtppNadvi5aNJI6yuBg5XJbRgcytLqo9jv9QX [preauth] debug1: userauth_pubkey: test pkalg rsa-sha2-512 pkblob RSA SHA256:hcDASnV1vvd88xpKM/xN2XtUSCvcW3oPUz0izqFMTBE [preauth] debug3: mm_key_allowed entering [preauth] debug3: mm_request_send entering: type 22 [preauth] debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED [preauth] debug3: mm_request_receive_expect entering: type 23 [preauth] debug3: mm_request_receive entering [preauth] debug3: mm_request_receive entering debug3: monitor_read: checking request 22 debug3: mm_answer_keyallowed entering debug3: mm_answer_keyallowed: key_from_blob: 0x8000988e0 debug1: temporarily_use_uid: 1049679/1049089 (e=1049726/1049089) seteuid 1049679: Operation not permitted debug1: do_cleanup debug1: Killing privsep child 804 ---------- I tried several variations e.g. change the user logging in, change the OS of the computer running the ssh call. Change permissions to the landing home user directory. Change to put/delete the /etc/passwd, /etc/groups files. => Nothing. Always "seteuid" error. I hope you can give me some advice. Thanks in advance. Nicola Mingotti