From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <cygwin-return-201210-listarch-cygwin=sourceware.org@cygwin.com>
Received: (qmail 24402 invoked by alias); 29 Jan 2016 16:43:00 -0000
Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe@cygwin.com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin@cygwin.com>
List-Help: <mailto:cygwin-help@cygwin.com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner@cygwin.com
Mail-Followup-To: cygwin@cygwin.com
Received: (qmail 24391 invoked by uid 89); 29 Jan 2016 16:42:59 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=1.2 required=5.0 tests=AWL,BAYES_20,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,RP_MATCHES_RCVD,SPF_PASS autolearn=ham version=3.3.2 spammy=logout, whoami, UD:ntsec.html, cygwin-ug-net
X-HELO: sneak2.sneakemail.com
Received: from sneak2.sneakemail.com (HELO sneak2.sneakemail.com) (38.113.6.65) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Fri, 29 Jan 2016 16:42:58 +0000
Received: from sneakemail.com (ec2-52-71-31-68.compute-1.amazonaws.com [52.71.31.68])	by sneak2.localdomain (Postfix) with ESMTP id EC843A96209	for <cygwin@cygwin.com>; Fri, 29 Jan 2016 11:42:49 -0500 (EST)
Received: from localhost.localdomain (ip-172-17-0-2.ec2.internal [172.17.0.2])	by 0f398942f909.localdomain (Postfix) with ESMTP id 7A7F16000C	for <cygwin@cygwin.com>; Fri, 29 Jan 2016 16:42:49 +0000 (UTC)
Received: from 198.117.0.153 by mail.sneakemail.com with SMTP; 29 Jan 2016 16:42:49 -0000
Received: (sneakemail censored 31708-1454085768-838778 #3); 29 Jan 2016 16:42:49 -0000
Received: (sneakemail censored 31708-1454085768-838778 #2); 29 Jan 2016 16:42:49 -0000
Received: (sneakemail censored 31708-1454085768-838778 #1); 29 Jan 2016 16:42:49 -0000
To: cygwin@cygwin.com
From: "Robert Jacobson" <q7zfcru02@sneakemail.com>
Subject: sshd: testing whether login was via public key or password?
Message-ID: <31708-1454085768-838778@sneakemail.com>
Date: Fri, 29 Jan 2016 19:02:00 -0000
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-IsSubscribed: yes
X-SW-Source: 2016-01/txt/msg00475.txt.bz2


Hi,

Short version:  "schtasks /change" fails because I used SSH public key
auth.  I'd like to add error checking to script I run, so that it exits
if the user doesn't have the right session token (password), and "fix"
SSH public key login so I get the right privileges.  How best to do that?

I've read the following but not sure I understand it enough to pick the
"best" method:
https://cygwin.com/cygwin-ug-net/ntsec.html

The full issue:

I'm attempting to remotely change passwords for some Windows scheduled
tasks.  After logging in (via SSH public key) I could change the
passwords for tasks for different (non-admin) accounts, but not my own
admin account.

# After logging in with SSH pub key:
$ id -G | grep -qE '\<(544|0)\>' && echo admin || echo user
admin
$ whoami
Administrator
$ schtasks /query /TN "\backup_web_users" /v /fo list | grep 'Run As'
Run As User:                          Administrator
$ schtasks /change /RP newpassword /TN "\backup_web_users"
ERROR: Logon failure: unknown user name or bad password.
### Note:   if one tries to do above cmd repeatedly, you might lock
###      your account after too many login attempts

# But for a regular user account, it worked OK:
$ schtasks /query /TN "\Cleanup Old" /v /fo list | grep 'Run As'
Run As User:                          HOSTNAME\nonadminuser
$ schtasks /change /RP newpassword /TN "\Cleanup Old"
SUCCESS: The parameters of scheduled task "\Cleanup Old" have been changed.


I figured out the above "Logon failure" was due to logging in via SSH
public key, reference:
https://cygwin.com/ml/cygwin/2004-09/msg00087.html

As noted in the reference above, if I login via SSH using my password, I
can successfully change the scheduled task password for Administrator
tasks.  Similarly, it works if I save my password using "passwd -R".

We would like to continue to require public key auth because it is more
secure (our public keys are from smartcards, so it's effectively
two-factor authentication).

I've already confirmed that storing the passwd with "passwd -R" works.
I have not tried using cyglsa-config -- would that help?  My
understanding is that local access would work but access to network
resources would not.  I would think scheduled tasks are local so it
should work but did not want to modify my system yet without some
feedback from cygwin experts :)

Also, is there another way I might obtain the proper privs/session
token, WITHOUT storing the password permanently?  I noticed that running
"passwd -R" doesn't help with the CURRENT ssh session; i.e. I would have
to logout and login again.

Finally, the obvious way of checking if the proper privileges are
present is simply trying the "schtasks" command and seeing if it fails
by checking the exit status.  I'm just wondering (for academic reasons)
if there's a better way.  Perhaps there is some "view my current session
token" command?

If it matters:
$ uname -a
CYGWIN_NT-6.1-WOW nissan 2.2.1(0.289/5/3) 2015-08-20 11:40 i686 Cygwin

The OS is Server 2008 R2 64-bit.


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple