Sshd - Can't get access thru Public Key

Sshd - Can't get access thru Public Key

[Olivier ALLART]

Hi

On aWin 2003 Server, I got the message
'Setuid : 500: Not permitted' when trying to login using RSA PK mechanisms.
Login/Passwd works just fine, but using a PKey won't work.

default install of cygwin, using openssh 3.3 and configured using the 
'ssh-host-config' script
authorized_key matches, debug returns 'user accepted'

My goal is to log in via PK thru ssh to be able to execute remote scripts.

Is there a solution to get sshd to work with PK as if login/pass ? 
(Nothing found on the MLs nor the web)

Also to note a 'hang' in the service after some time, stating 'user32 
could not be loaded, winerror 0', which seems to be overcome only with 
reboot. Not a solution. Has anyone a better one ?

Olivier
IT dept
SPeeQ



--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Sshd - Can't get access thru Public Key

[Corinna Vinschen]

On Fri, Sep 12, 2003 at 05:59:03PM +0200, Olivier ALLART wrote:
> On aWin 2003 Server, I got the message
> 'Setuid : 500: Not permitted' when trying to login using RSA PK mechanisms.
> Login/Passwd works just fine, but using a PKey won't work.

That can be found in the mailing list archive already.
E.g. http://www.cygwin.com/ml/cygwin/2003-07/msg00684.html

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Sshd - Can't get access thru Public Key

[Olivier ALLART]

Wow thanks a lot.

I wonder why this mail was not listed in the results when I was 
searching the MLs or web..

Olivier

*Corinna Vinschen wrote:

>On Fri, Sep 12, 2003 at 05:59:03PM +0200, Olivier ALLART wrote:
>  
>
>>On aWin 2003 Server, I got the message
>>'Setuid : 500: Not permitted' when trying to login using RSA PK mechanisms.
>>Login/Passwd works just fine, but using a PKey won't work.
>>    
>>
>
>That can be found in the mailing list archive already.
>E.g. http://www.cygwin.com/ml/cygwin/2003-07/msg00684.html
>
>Corinna
>
>  
>



--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Sshd - Can't get access thru Public Key

[Olivier ALLART]

Corinna Vinschen wrote:

>On Fri, Sep 12, 2003 at 05:59:03PM +0200, Olivier ALLART wrote:
>  
>
>>On aWin 2003 Server, I got the message
>>'Setuid : 500: Not permitted' when trying to login using RSA PK mechanisms.
>>Login/Passwd works just fine, but using a PKey won't work.
>>    
>>
>
>That can be found in the mailing list archive already.
>E.g. http://www.cygwin.com/ml/cygwin/2003-07/msg00684.html
>
>Corinna
>

I found out the following;

>create a special account for this, which is member of the admins
>group and has the additional user privileges "Create a token object",
>"Replace a process level token" and "Logon as a service".  Probably
>it makes sense to remove other privileges from that account, e.g.
>the right to logon locally or so.

my (dumb ?) question is : where do we define such parameters ?

And if I get the thing correctly, sshd sould still run the same way 
(under the sshd user account with local sys privileges) but we should 
connect using this newluy created user account to log in .. am I right ?

>
>  
>



--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Sshd - Can't get access thru Public Key

[Corinna Vinschen]

On Mon, Sep 15, 2003 at 03:13:27PM +0200, Olivier ALLART wrote:
> Corinna Vinschen wrote:
> >create a special account for this, which is member of the admins
> >group and has the additional user privileges "Create a token object",
> >"Replace a process level token" and "Logon as a service".  Probably
> >it makes sense to remove other privileges from that account, e.g.
> >the right to logon locally or so.
> 
> my (dumb ?) question is : where do we define such parameters ?
> 
> And if I get the thing correctly, sshd sould still run the same way 
> (under the sshd user account with local sys privileges) but we should 
> connect using this newluy created user account to log in .. am I right ?

No.  *Don't* run sshd under the sshd account.  The service must run
under some privileged account, member of the administrators group,
created with the usual Windows user management tools.  Add the
"Create a token object" right to the account in the "Local Security
Policy" mmc snap-in.  Create an /etc/passwd entry for the user.
Install the service with cygrunsrv so that it runs under that new
privileged account.

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/