SSHD, Cygwin and Windows 2003 : continued with user rights

SSHD, Cygwin and Windows 2003 : continued with user rights

[Olivier ALLART]

Following Mark J de Jong 's step by step howto (see end of mail for some 
add-ons), I can now effectively log in with pkey method (that is, no 
password) using the 'administrator' user name.
'whoami' returns 'administrator', however asking for a command such as 
IISRESET returns the error 'you are not a local administrator of this 
machine...', which means the rights management has failed somewhere.

What shall I do to be able tu run IISreset from ssh pkey under 
administrator ?


note :  suing to 'administrator' returns 'wrong password' after correct 
pass input, and loging via sshd with the 'local system sshd' method 
acknowledges the administrator to execute IISRESET..

that's why I wonder if adding the 'create token' n co stuff to the user 
SYSTEM wouldn't help, but I feel this is not a right thing to do ...

> Hello,
> I've looked and couldn't find decent docs on this so for those of you
> who are lookin', this is a quick howto on how to setup the
> Cygwin/OpenSSH daemon on M$ Windows 2003. This will fix the passwordless
> (ssh key) login issue.
>
> 1. Install Cygwin with the openssh binaries.... 

add the c:\cygwin\bin  to the path
add cygwin=ntsec tty environment variable

>
> 2. After completing the Cygwin setup, goto the cygwin command prompt and
> type 'ssh-host-config'
> 3. Answer 'y' when asked if you want to sshd with privilege separation.
> 4. Answer 'y' when asked if user sshd should be created by the script.
> 5. Answer 'y' when asked if you want sshd to be created as a service.
> 6. Create a new windows user named "sshdproc" or whatever you wish the
> sshd process account username to be. If you happen to notice the sshd
> user being disabled, don't enable it!
> 7. Place the sshdproc user in the "Administrators" group.
> 8. Give the sshdproc user the following system rights:
>     * Create a token object
>     * Log on as a service
>     * Replace a process level token
>
>     And for security.....
>     * Deny log on locally
>     * Deny access to this computer from the network
>
> 9. Reconfigure the "CYGWIN sshd service" to run as the new "sshdproc"
> user.
> 10. At the cygwin command prompt type 'mkpasswd -l |grep sshdproc >>
> /etc/passwd <enter>'
> 11. Type 'touch /var/log/sshd.log <enter>'
> 12. Type 'chmod 644 /var/log/sshd.log <enter>'
> 11. Type 'chown sshdproc /var/empty /var/log/sshd.log /etc/ssh_*
> <enter>'
> 12. Type 'cygrunsrv --start sshd <enter>'

also ssh-user-config

>
> That should be it.. Hope this helps! 


it helps, but not enough :)

>
>
> Best,
> Mark J. de Jong
>
>
>  
>


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: SSHD, Cygwin and Windows 2003 : continued with user rights

[Larry Hall]

At 12:40 PM 9/17/2003, Olivier ALLART you wrote:
>Following Mark J de Jong 's step by step howto (see end of mail for some add-ons), I can now effectively log in with pkey method (that is, no password) using the 'administrator' user name.
>'whoami' returns 'administrator', however asking for a command such as IISRESET returns the error 'you are not a local administrator of this machine...', which means the rights management has failed somewhere.


I think you missed the fact that pubkey authentication does impersonation,
not Windows-style authentication.  So Windows apps won't recognize the pubkey
authentication as providing permissions to run restricted programs.  You'll
have to use password authentication if you want Windows to recognize the
user you've become via ssh.  You can find all sorts of discussion on the 
difference between pubkey and password authentication for ssh in the email 
archives if you're interested.



--
Larry Hall                              http://www.rfk.com
RFK Partners, Inc.                      (508) 893-9779 - RFK Office
838 Washington Street                   (508) 893-9889 - FAX
Holliston, MA 01746                     


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: SSHD, Cygwin and Windows 2003 : continued with user rights

[Olivier ALLART]

Thank you for the details, but then, why *some commands* work and not 
others ?
And more specifically, how can I make *this command* work ?


Larry Hall wrote:

>I think you missed the fact that pubkey authentication does impersonation,
>not Windows-style authentication.  So Windows apps won't recognize the pubkey
>authentication as providing permissions to run restricted programs.  You'll
>have to use password authentication if you want Windows to recognize the
>user you've become via ssh.  You can find all sorts of discussion on the 
>difference between pubkey and password authentication for ssh in the email 
>archives if you're interested.
>  
>
At 12:40 PM 9/17/2003, Olivier ALLART you wrote:

>Following Mark J de Jong 's step by step howto (see end of mail for some add-ons), I can now effectively log in with pkey method (that is, no password) using the 'administrator' user name.
>'whoami' returns 'administrator', however asking for a command such as IISRESET returns the error 'you are not a local administrator of this machine...', which means the rights management has failed somewhere.
>  
>




>
>
>--
>Larry Hall                              http://www.rfk.com
>RFK Partners, Inc.                      (508) 893-9779 - RFK Office
>838 Washington Street                   (508) 893-9889 - FAX
>Holliston, MA 01746                     
>
>
>.
>
>  
>



--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: SSHD, Cygwin and Windows 2003 : continued with user rights

[Larry Hall]

Hm, I thought I was clear.  Let me try again addressing iisreset
specifically.

iisreset doesn't work in the scenario you described because it's a Microsoft tool which knows nothing of the Cygwin environment.  Cygwin's ssh using 
pubkey authentication doesn't authenticate the user with Windows.  So if
you need certain credentials to perform some operation in Windows, pubkey
authentication won't provide them.  If you need to run iisreset through ssh,
you will need to use password authentication, which takes the password for 
the user 'administrator' and authenticates for Windows with it.  You should
then be able to use iisreset (if authentication is really the only thing
getting in the way with pubkey).

I don't know what are the "*some commands*" you're speaking of, but if they 
are Cygwin utilities, then I think the answer is obvious.  If they are not 
Cygwin utilities, then I would have to say that they don't require special 
privileges to run.  This is actually true for most utilities.  But if this 
is still confusing for you, you'll have to provide specifics.  However, I 
think you'll find that it's likely that anything that works for you in ssh 
using pubkey authentication falls into one of the two groups of utilities I 
mentioned.

HTH,

Larry


At 02:56 PM 9/17/2003, Olivier ALLART you wrote:

>Thank you for the details, but then, why *some commands* work and not others ?
>And more specifically, how can I make *this command* work ?
>
>
>Larry Hall wrote:
>
>>I think you missed the fact that pubkey authentication does impersonation,
>>not Windows-style authentication.  So Windows apps won't recognize the pubkey
>>authentication as providing permissions to run restricted programs.  You'll
>>have to use password authentication if you want Windows to recognize the
>>user you've become via ssh.  You can find all sorts of discussion on the difference between pubkey and password authentication for ssh in the email archives if you're interested.
>> 
>At 12:40 PM 9/17/2003, Olivier ALLART you wrote:
>
>>Following Mark J de Jong 's step by step howto (see end of mail for some add-ons), I can now effectively log in with pkey method (that is, no password) using the 'administrator' user name.
>>'whoami' returns 'administrator', however asking for a command such as IISRESET returns the error 'you are not a local administrator of this machine...', which means the rights management has failed somewhere.
>> 
>
>
>
>
>>
>>
>>--
>>Larry Hall                              http://www.rfk.com
>>RFK Partners, Inc.                      (508) 893-9779 - RFK Office
>>838 Washington Street                   (508) 893-9889 - FAX
>>Holliston, MA 01746                     
>>
>>
>>.
>>
>> 
>
>
>
>--
>Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>Problem reports:       http://cygwin.com/problems.html
>Documentation:         http://cygwin.com/docs.html
>FAQ:                   http://cygwin.com/faq/


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: SSHD, Cygwin and Windows 2003 : continued with user rights

[Olivier ALLART]

Larry Hall wrote:

>Hm, I thought I was clear.  Let me try again addressing iisreset
>specifically.
>
>iisreset doesn't work in the scenario you described because it's a Microsoft tool which knows nothing of the Cygwin environment.  Cygwin's ssh using 
>pubkey authentication doesn't authenticate the user with Windows.  So if
>you need certain credentials to perform some operation in Windows, pubkey
>authentication won't provide them.  
>
Ok. I tought ssh offered some mechanism trough cygwin to authenticate as 
if under windows ..
That means the 'administrator' account via ssh pubkey is not 
'administrator' then ..

>If you need to run iisreset through ssh,
>you will need to use password authentication, which takes the password for 
>the user 'administrator' and authenticates for Windows with it.  You should
>then be able to use iisreset (if authentication is really the only thing
>getting in the way with pubkey).
>
yes it is, since it is working with ssh connection (using password on 
login) when sshd runs under 'local system'

>I don't know what are the "*some commands*" you're speaking of, but if they 
>are Cygwin utilities, then I think the answer is obvious.  If they are not 
>Cygwin utilities, then I would have to say that they don't require special 
>privileges to run.  This is actually true for most utilities.  But if this 
>is still confusing for you, you'll have to provide specifics.  However, I 
>think you'll find that it's likely that anything that works for you in ssh 
>using pubkey authentication falls into one of the two groups of utilities I 
>mentioned.
>
and you are probably right.
other commands are for example 'wlbs' (or nlb).
My problem is : I want to execute some remote (but encrypted) commands 
using both wlbs and iisreset.
wlbs works fine from remote, but so is not for IISreset.
I thought authentication using ssh and public key would allow me to 
perform the iisreset command..
But from what you explained; it is clear that whatever user logs in with 
pubkey, it won't be considered as 'administrator'
It looks like iisreset can only be performed *locally* by *local 
administrator*, which is dumb in the situation where you are from 
remote. Only other remote control would be 'telnet' but hey, ms telnet 
can't pertform remote commands.

Last question; if I provided a pubkey in the 'administrator' (cygwin) 
environment, who am I for windows ?

Thank you very much.
Next I guess I'll go look for some tip on how to unlock iisreset so it 
can be used by whatever admin and not just local ..

>
>HTH,
>
>Larry
>
>
>At 02:56 PM 9/17/2003, Olivier ALLART you wrote:
>
>  
>
>>Thank you for the details, but then, why *some commands* work and not others ?
>>And more specifically, how can I make *this command* work ?
>>
>>
>>Larry Hall wrote:
>>
>>    
>>
>>>I think you missed the fact that pubkey authentication does impersonation,
>>>not Windows-style authentication.  So Windows apps won't recognize the pubkey
>>>authentication as providing permissions to run restricted programs.  You'll
>>>have to use password authentication if you want Windows to recognize the
>>>user you've become via ssh.  You can find all sorts of discussion on the difference between pubkey and password authentication for ssh in the email archives if you're interested.
>>>
>>>      
>>>
>>At 12:40 PM 9/17/2003, Olivier ALLART you wrote:
>>
>>    
>>
>>>Following Mark J de Jong 's step by step howto (see end of mail for some add-ons), I can now effectively log in with pkey method (that is, no password) using the 'administrator' user name.
>>>'whoami' returns 'administrator', however asking for a command such as IISRESET returns the error 'you are not a local administrator of this machine...', which means the rights management has failed somewhere.
>>>
>>>      
>>>
>>
>>
>>    
>>
>>>--
>>>Larry Hall                              http://www.rfk.com
>>>RFK Partners, Inc.                      (508) 893-9779 - RFK Office
>>>838 Washington Street                   (508) 893-9889 - FAX
>>>Holliston, MA 01746                     
>>>
>>>
>>>.
>>>
>>>
>>>      
>>>
>>
>>--
>>Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>>Problem reports:       http://cygwin.com/problems.html
>>Documentation:         http://cygwin.com/docs.html
>>FAQ:                   http://cygwin.com/faq/
>>    
>>
>
>
>--
>Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>Problem reports:       http://cygwin.com/problems.html
>Documentation:         http://cygwin.com/docs.html
>FAQ:                   http://cygwin.com/faq/
>
>
>.
>
>  
>



--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

RE: SSHD, Cygwin and Windows 2003 : continued with user rights

[Hannu E K Nevalainen (garbage mail)]

> From: Olivier ALLART

> Next I guess I'll go look for some tip on how to unlock iisreset so it
> can be used by whatever admin and not just local ..

 Sorry to jump in! Just an idea;
How about runas, is it available in W2K+3? (I'm on W2K)

/Hannu E K Nevalainen, B.Sc. EE - 59?16.37'N, 17?12.60'E
-- UTC+01 --


$ echo >iisreset.bat -e \
  "@echo off\necho This is me, using the Administrators rights\!"
$ u2d iisreset.bat
iisreset.bat: done.
$ runas /profile /user:mymachine\administrator cmd /c iisreset.bat

<SIGH> *I* can't make it work for a simple test like above :-7 (from the
BASH prompt! I have a similar thing running via BAT scripts).
runas seems to "think" it doesn't get correct arguments.

*IS* it possible? I deem it should be.

F:\>runas /?
RUNAS USAGE:

RUNAS [/profile] [/env] [/netonly] /user:<UserName> program

   /profile        if the user's profile needs to be loaded
   /env            to use current environment instead of user's.
   /netonly        use if the credentials specified are for remote access
only.
   /user           <UserName> should be in form USER@DOMAIN or DOMAIN\USER
   program         command line for EXE.  See below for examples

Examples:
> runas /profile /user:mymachine\administrator cmd
> runas /profile /env /user:mydomain\admin "mmc %windir%\system32\dsa.msc"
> runas /env /user:user@domain.microsoft.com "notepad \"my file.txt\""

NOTE:  Enter user's password only when prompted.
NOTE:  USER@DOMAIN is not compatible with /netonly.


--END OF MESSAGE--


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: SSHD, Cygwin and Windows 2003 : continued with user rights

[Olivier ALLART]

Thanks for the tip.
I decided to get rid of this stupid iisreset and use instead a command like
net start/stop msftpsc/w3svc

works fine whith whatever administrator

Olivier

Hannu E K Nevalainen (garbage mail) wrote:

>>From: Olivier ALLART
>>    
>>
>
>  
>
>>Next I guess I'll go look for some tip on how to unlock iisreset so it
>>can be used by whatever admin and not just local ..
>>    
>>
>
> Sorry to jump in! Just an idea;
>How about runas, is it available in W2K+3? (I'm on W2K)
>
>/Hannu E K Nevalainen, B.Sc. EE - 59?16.37'N, 17?12.60'E
>-- UTC+01 --
>
>
>$ echo >iisreset.bat -e \
>  "@echo off\necho This is me, using the Administrators rights\!"
>$ u2d iisreset.bat
>iisreset.bat: done.
>$ runas /profile /user:mymachine\administrator cmd /c iisreset.bat
>
><SIGH> *I* can't make it work for a simple test like above :-7 (from the
>BASH prompt! I have a similar thing running via BAT scripts).
>runas seems to "think" it doesn't get correct arguments.
>
>*IS* it possible? I deem it should be.
>
>F:\>runas /?
>RUNAS USAGE:
>
>RUNAS [/profile] [/env] [/netonly] /user:<UserName> program
>
>   /profile        if the user's profile needs to be loaded
>   /env            to use current environment instead of user's.
>   /netonly        use if the credentials specified are for remote access
>only.
>   /user           <UserName> should be in form USER@DOMAIN or DOMAIN\USER
>   program         command line for EXE.  See below for examples
>
>Examples:
>  
>
>>runas /profile /user:mymachine\administrator cmd
>>runas /profile /env /user:mydomain\admin "mmc %windir%\system32\dsa.msc"
>>runas /env /user:user@domain.microsoft.com "notepad \"my file.txt\""
>>    
>>
>
>NOTE:  Enter user's password only when prompted.
>NOTE:  USER@DOMAIN is not compatible with /netonly.
>
>
>--END OF MESSAGE--
>
>
>--
>Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>Problem reports:       http://cygwin.com/problems.html
>Documentation:         http://cygwin.com/docs.html
>FAQ:                   http://cygwin.com/faq/
>
>
>.
>
>  
>



--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: SSHD, Cygwin and Windows 2003 : continued with user rights

[Karl M]

Hi All...

Quite a while ago (12 to 18 months?) before Cygwin OpenSSH could impersonate 
a user, there was some experimental activity in OpenSSH to allow multiple 
authentication methods. There was a patch to add this on the OpenSSH 
archives.

I experimented with this to require public key followed by password 
authentication. This got me the security of a public key authentication and 
also got me a password to change user ID. When Cygwin added the impersonate 
user ability, I dropped this activity.

...Karl


>From: Olivier ALLART <olivier.allart@speeq.com>
>To: Cygwin List <cygwin@cygwin.com>
>Subject: Re: SSHD, Cygwin and Windows 2003 : continued with user rights
>Date: Thu, 18 Sep 2003 01:22:48 +0200
>
>Larry Hall wrote:
>
>>Hm, I thought I was clear.  Let me try again addressing iisreset
>>specifically.
>>
>>iisreset doesn't work in the scenario you described because it's a 
>>Microsoft tool which knows nothing of the Cygwin environment.  Cygwin's 
>>ssh using pubkey authentication doesn't authenticate the user with 
>>Windows.  So if
>>you need certain credentials to perform some operation in Windows, pubkey
>>authentication won't provide them.
>>
>Ok. I tought ssh offered some mechanism trough cygwin to authenticate as if 
>under windows ..
>That means the 'administrator' account via ssh pubkey is not 
>'administrator' then ..
>
>>If you need to run iisreset through ssh,
>>you will need to use password authentication, which takes the password for 
>>the user 'administrator' and authenticates for Windows with it.  You 
>>should
>>then be able to use iisreset (if authentication is really the only thing
>>getting in the way with pubkey).
>>
>yes it is, since it is working with ssh connection (using password on 
>login) when sshd runs under 'local system'
>
>>I don't know what are the "*some commands*" you're speaking of, but if 
>>they are Cygwin utilities, then I think the answer is obvious.  If they 
>>are not Cygwin utilities, then I would have to say that they don't require 
>>special privileges to run.  This is actually true for most utilities.  But 
>>if this is still confusing for you, you'll have to provide specifics.  
>>However, I think you'll find that it's likely that anything that works for 
>>you in ssh using pubkey authentication falls into one of the two groups of 
>>utilities I mentioned.
>>
>and you are probably right.
>other commands are for example 'wlbs' (or nlb).
>My problem is : I want to execute some remote (but encrypted) commands 
>using both wlbs and iisreset.
>wlbs works fine from remote, but so is not for IISreset.
>I thought authentication using ssh and public key would allow me to perform 
>the iisreset command..
>But from what you explained; it is clear that whatever user logs in with 
>pubkey, it won't be considered as 'administrator'
>It looks like iisreset can only be performed *locally* by *local 
>administrator*, which is dumb in the situation where you are from remote. 
>Only other remote control would be 'telnet' but hey, ms telnet can't 
>pertform remote commands.
>
>Last question; if I provided a pubkey in the 'administrator' (cygwin) 
>environment, who am I for windows ?
>
>Thank you very much.
>Next I guess I'll go look for some tip on how to unlock iisreset so it can 
>be used by whatever admin and not just local ..
>
>>
>>HTH,
>>
>>Larry
>>
>>
>>At 02:56 PM 9/17/2003, Olivier ALLART you wrote:
>>
>>
>>
>>>Thank you for the details, but then, why *some commands* work and not 
>>>others ?
>>>And more specifically, how can I make *this command* work ?
>>>
>>>
>>>Larry Hall wrote:
>>>
>>>
>>>
>>>>I think you missed the fact that pubkey authentication does 
>>>>impersonation,
>>>>not Windows-style authentication.  So Windows apps won't recognize the 
>>>>pubkey
>>>>authentication as providing permissions to run restricted programs.  
>>>>You'll
>>>>have to use password authentication if you want Windows to recognize the
>>>>user you've become via ssh.  You can find all sorts of discussion on the 
>>>>difference between pubkey and password authentication for ssh in the 
>>>>email archives if you're interested.
>>>>
>>>>
>>>>
>>>At 12:40 PM 9/17/2003, Olivier ALLART you wrote:
>>>
>>>
>>>
>>>>Following Mark J de Jong 's step by step howto (see end of mail for some 
>>>>add-ons), I can now effectively log in with pkey method (that is, no 
>>>>password) using the 'administrator' user name.
>>>>'whoami' returns 'administrator', however asking for a command such as 
>>>>IISRESET returns the error 'you are not a local administrator of this 
>>>>machine...', which means the rights management has failed somewhere.
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>
>>>>--
>>>>Larry Hall                              http://www.rfk.com
>>>>RFK Partners, Inc.                      (508) 893-9779 - RFK Office
>>>>838 Washington Street                   (508) 893-9889 - FAX
>>>>Holliston, MA 01746
>>>>
>>>>
>>>>.
>>>>
>>>>
>>>>
>>>>
>>>
>>>--
>>>Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>>>Problem reports:       http://cygwin.com/problems.html
>>>Documentation:         http://cygwin.com/docs.html
>>>FAQ:                   http://cygwin.com/faq/
>>>
>>>
>>
>>
>>--
>>Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>>Problem reports:       http://cygwin.com/problems.html
>>Documentation:         http://cygwin.com/docs.html
>>FAQ:                   http://cygwin.com/faq/
>>
>>
>>.
>>
>>
>>
>
>
>
>--
>Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>Problem reports:       http://cygwin.com/problems.html
>Documentation:         http://cygwin.com/docs.html
>FAQ:                   http://cygwin.com/faq/
>

_________________________________________________________________
Get a FREE computer virus scan online from McAfee. 
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/