Troubleshooting SSH connection as SYSTEM user.

Troubleshooting SSH connection as SYSTEM user.

[Matthew Leonhardt]

Hello all,

I'm trying to install a service to keep some SSH tunnels alive using
the following script:

$ cat ssh_tunnel.exe
#!/usr/bin/bash
while :
do
  /cygdrive/c/WINDOWS/system32/netstat -an | grep 192\.168\.0\.1:139 \
    | grep LISTENING > /dev/null
  if (( $? )); then
    /usr/bin/ssh -v -v -v -x -i/home/user/.ssh/id_rsa -2 \
      -L 192.168.0.1:139:127.0.0.1:139 -N remote_user@remote.host 2>&1 &
  fi
  /cygdrive/c/WINDOWS/system32/netstat -an | grep 192\.168\.0\.1:3306 \
    | grep LISTENING > /dev/null
  if (( $? )); then
    /usr/bin/ssh -v -v -v -x -i/home/user/.ssh/id_rsa -2 \
      -L 192.168.0.1:3306:127.0.0.1:3306 -N remote_user@remote.host 2>&1 &
  fi
  sleep 300
done

The script works fine at the command line, but fails when running as a
service.  My vain attempt to gather info (-v -v -v) only yields:

Permission denied, please try again.
Permission denied, please try again.
Permission denied (publickey,gssapi-with-mic,password).

in the service log (all three lines for each instance of an ssh command).

SYSTEM should have access to id_rsa:

$ getfacl id_rsa
# file: id_rsa
# owner: user
# group: Domain Users
user::rw-
group::---
group:SYSTEM:r--
mask:rwx
other:---

$ ls -l id_rsa
-rw-------+ 1 user Domain Users 1679 Dec 13 13:40 id_rsa

But, id_rsa was generated as "user", not as "SYSTEM," so I'm wondering
if SYSTEM needs it's own private RSA key, and how one would go about
generating one, since I don't seem to be able to su to the SYSTEM
user.

I appreciate any help anyone can offer.

-Matt

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Troubleshooting SSH connection as SYSTEM user.

[Larry Hall (Cygwin)]

On 5/26/2011 11:10 AM, Matthew Leonhardt wrote:
> Hello all,
>
> I'm trying to install a service to keep some SSH tunnels alive using
> the following script:
>
> $ cat ssh_tunnel.exe
> #!/usr/bin/bash
> while :
> do
>    /cygdrive/c/WINDOWS/system32/netstat -an | grep 192\.168\.0\.1:139 \
>      | grep LISTENING>  /dev/null
>    if (( $? )); then
>      /usr/bin/ssh -v -v -v -x -i/home/user/.ssh/id_rsa -2 \
>        -L 192.168.0.1:139:127.0.0.1:139 -N remote_user@remote.host 2>&1&
>    fi
>    /cygdrive/c/WINDOWS/system32/netstat -an | grep 192\.168\.0\.1:3306 \
>      | grep LISTENING>  /dev/null
>    if (( $? )); then
>      /usr/bin/ssh -v -v -v -x -i/home/user/.ssh/id_rsa -2 \
>        -L 192.168.0.1:3306:127.0.0.1:3306 -N remote_user@remote.host 2>&1&
>    fi
>    sleep 300
> done
>
> The script works fine at the command line, but fails when running as a
> service.  My vain attempt to gather info (-v -v -v) only yields:
>
> Permission denied, please try again.
> Permission denied, please try again.
> Permission denied (publickey,gssapi-with-mic,password).
>
> in the service log (all three lines for each instance of an ssh command).
>
> SYSTEM should have access to id_rsa:
>
> $ getfacl id_rsa
> # file: id_rsa
> # owner: user
> # group: Domain Users
> user::rw-
> group::---
> group:SYSTEM:r--
> mask:rwx
> other:---
>
> $ ls -l id_rsa
> -rw-------+ 1 user Domain Users 1679 Dec 13 13:40 id_rsa
>
> But, id_rsa was generated as "user", not as "SYSTEM," so I'm wondering
> if SYSTEM needs it's own private RSA key, and how one would go about
> generating one, since I don't seem to be able to su to the SYSTEM
> user.

Correct.  What you propose could be a work-around for your case.  Check
out the link below for how to create a SYSTEM-owned shell that you can
then experiment with.

<http://cygwin.com/ml/cygwin/2004-08/msg01132.html>

-- 
Larry

_____________________________________________________________________

A: Yes.
 > Q: Are you sure?
 >> A: Because it reverses the logical flow of conversation.
 >>> Q: Why is top posting annoying in email?

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Troubleshooting SSH connection as SYSTEM user.

[Matthew Leonhardt]

On Thu, May 26, 2011 at 4:47 PM, Larry Hall (Cygwin) wrote:
> On 5/26/2011 11:10 AM, Matthew Leonhardt wrote:
>>
>> Hello all,
>>
>> I'm trying to install a service to keep some SSH tunnels alive using
>> the following script:
>>
>> $ cat ssh_tunnel.exe
>> #!/usr/bin/bash
>> while :
>> do
>>   /cygdrive/c/WINDOWS/system32/netstat -an | grep 192\.168\.0\.1:139 \
>>     | grep LISTENING>  /dev/null
>>   if (( $? )); then
>>     /usr/bin/ssh -v -v -v -x -i/home/user/.ssh/id_rsa -2 \
>>       -L 192.168.0.1:139:127.0.0.1:139 -N remote_user@remote.host 2>&1&
>>   fi
>>   /cygdrive/c/WINDOWS/system32/netstat -an | grep 192\.168\.0\.1:3306 \
>>     | grep LISTENING>  /dev/null
>>   if (( $? )); then
>>     /usr/bin/ssh -v -v -v -x -i/home/user/.ssh/id_rsa -2 \
>>       -L 192.168.0.1:3306:127.0.0.1:3306 -N remote_user@remote.host 2>&1&
>>   fi
>>   sleep 300
>> done
>>
>> The script works fine at the command line, but fails when running as a
>> service.  My vain attempt to gather info (-v -v -v) only yields:
>>
>> Permission denied, please try again.
>> Permission denied, please try again.
>> Permission denied (publickey,gssapi-with-mic,password).
>>
>> in the service log (all three lines for each instance of an ssh command).
>>
>> SYSTEM should have access to id_rsa:
>>
>> $ getfacl id_rsa
>> # file: id_rsa
>> # owner: user
>> # group: Domain Users
>> user::rw-
>> group::---
>> group:SYSTEM:r--
>> mask:rwx
>> other:---
>>
>> $ ls -l id_rsa
>> -rw-------+ 1 user Domain Users 1679 Dec 13 13:40 id_rsa
>>
>> But, id_rsa was generated as "user", not as "SYSTEM," so I'm wondering
>> if SYSTEM needs it's own private RSA key, and how one would go about
>> generating one, since I don't seem to be able to su to the SYSTEM
>> user.
>
> Correct.  What you propose could be a work-around for your case.  Check
> out the link below for how to create a SYSTEM-owned shell that you can
> then experiment with.
>
> <http://cygwin.com/ml/cygwin/2004-08/msg01132.html>

Brilliant!  That's exactly what I was looking for and it totally did
the trick.  TY!

FWIW, I had to modify the shortcut to use full paths to the date and
sleep commands.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Troubleshooting SSH connection as SYSTEM user.

[Larry Hall (Cygwin)]

On 5/26/2011 5:46 PM, Matthew Leonhardt wrote:
> On Thu, May 26, 2011 at 4:47 PM, Larry Hall (Cygwin) wrote:
>> On 5/26/2011 11:10 AM, Matthew Leonhardt wrote:
>>>
>>> Hello all,
>>>
>>> I'm trying to install a service to keep some SSH tunnels alive using
>>> the following script:
>>>
>>> $ cat ssh_tunnel.exe
>>> #!/usr/bin/bash
>>> while :
>>> do
>>>    /cygdrive/c/WINDOWS/system32/netstat -an | grep 192\.168\.0\.1:139 \
>>>      | grep LISTENING>    /dev/null
>>>    if (( $? )); then
>>>      /usr/bin/ssh -v -v -v -x -i/home/user/.ssh/id_rsa -2 \
>>>        -L 192.168.0.1:139:127.0.0.1:139 -N remote_user@remote.host 2>&1&
>>>    fi
>>>    /cygdrive/c/WINDOWS/system32/netstat -an | grep 192\.168\.0\.1:3306 \
>>>      | grep LISTENING>    /dev/null
>>>    if (( $? )); then
>>>      /usr/bin/ssh -v -v -v -x -i/home/user/.ssh/id_rsa -2 \
>>>        -L 192.168.0.1:3306:127.0.0.1:3306 -N remote_user@remote.host 2>&1&
>>>    fi
>>>    sleep 300
>>> done
>>>
>>> The script works fine at the command line, but fails when running as a
>>> service.  My vain attempt to gather info (-v -v -v) only yields:
>>>
>>> Permission denied, please try again.
>>> Permission denied, please try again.
>>> Permission denied (publickey,gssapi-with-mic,password).
>>>
>>> in the service log (all three lines for each instance of an ssh command).
>>>
>>> SYSTEM should have access to id_rsa:
>>>
>>> $ getfacl id_rsa
>>> # file: id_rsa
>>> # owner: user
>>> # group: Domain Users
>>> user::rw-
>>> group::---
>>> group:SYSTEM:r--
>>> mask:rwx
>>> other:---
>>>
>>> $ ls -l id_rsa
>>> -rw-------+ 1 user Domain Users 1679 Dec 13 13:40 id_rsa
>>>
>>> But, id_rsa was generated as "user", not as "SYSTEM," so I'm wondering
>>> if SYSTEM needs it's own private RSA key, and how one would go about
>>> generating one, since I don't seem to be able to su to the SYSTEM
>>> user.
>>
>> Correct.  What you propose could be a work-around for your case.  Check
>> out the link below for how to create a SYSTEM-owned shell that you can
>> then experiment with.
>>
>> <http://cygwin.com/ml/cygwin/2004-08/msg01132.html>
>
> Brilliant!  That's exactly what I was looking for and it totally did
> the trick.  TY!

You're welcome.

> FWIW, I had to modify the shortcut to use full paths to the date and
> sleep commands.

Smart move. :-)

-- 
Larry

_____________________________________________________________________

A: Yes.
 > Q: Are you sure?
 >> A: Because it reverses the logical flow of conversation.
 >>> Q: Why is top posting annoying in email?

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple