Re: AW: Inaccessible remote volumes when logged in via ssh

[Larry Hall <cygwin-lh@cygwin.com>]

At 09:01 AM 5/11/2004, you wrote:
>I am logging in using password (i already heard of troubles using
>publickey, altough i can log in as normal user using public key)
>The volume is mounted using the explorer menu (extra -> connect drive, i
>dont know if thats correct because i have a german version), and it is
>configured to mount automatically at startup.


Well, something is wrong with your password authentication then because
the behavior you're getting is exactly the same as with public key 
authentication.


>I just tried to use "net use" in my ssh-session and noticed it doesnt
>work (system error 1312)
>It is the same case as in 
>http://archive.erdelynet.com/ssh-l/2004-04/msg00033.php
>And in
>http://archive.erdelynet.com/ssh-l/2002-11/msg00006.php
>
>And
>http://archive.erdelynet.com/ssh-l/2004-03/msg00057.php
>
>It has something to do with user-privileges and that the sshd runs as
>user SYSTEM. It seems, that the ssh-sessions also runs as SYSTEM, and
>not as user which logged in.


No, that's not quite right.  *If* you use password authentication when you
'ssh' into your Cygwin ssh server, you will be authenticated by Windows and 
have full access to whatever resource (including shares) Windows allows you.  
*If* you use public key authentication, you can access any resource that does 
not require Windows authentication (including public shares).  Either way, 
you are running the 'ssh' session as the user you specify (or default to) 
for that session.  Only 'sshd' runs as SYSTEM (by default).  Running 'sshd' 
allows switching the user context from SYSTEM to the requested user for 
the 'ssh' session.


>What i dont understand is, why it works when i log in locally via ssh
>(ssh localhost -l bpc). 


It "works" because you're already authenticated with Windows on that machine 
as the user you're shelling in as.  So Windows knows this user and therefore 
will provide access to the restricted resources.  


>It should also run as user system without
>network-privileges.


No that's incorrect.


>I tried the following:
>At <current-time + 1> /INTERACTIVE cmd
>
>Which should open a cmd-shell in one minute which runs as SYSTEM.
>The shell opens and i also have no access to the network.


That's expected.


>So i tried to start the sshd service as user "sshd" (changed owner of
>all files, adjusted the security policies etc). The service starts but
>the strange result is, that i cant login with password anymore, only
>with public key !!! And i still dont have acces to network .
>When i do a ps -W -f i get:
>
>    sshd    1608       1   ?  14:10:21 /usr/bin/cygrunsrv
>    sshd    1348    1720   ?  14:11:09 /usr/sbin/sshd
>       0     756       0   ?  14:11:11 C:\cygwin\bin\bash.exe
>     bpc    1716    1680   1  14:11:46 /usr/bin/ps
>       0    1760       0   ?  14:11:47 C:\cygwin\bin\ps.exe


Don't know why you tried this but as you can see, it doesn't buy you
anything.


>So i assume, the shell still run under SYSTEM account


No.  Now it would be run as user 'sshd', with whatever privileges the 'sshd'
user has.  By default, this user has no ability to switch user contexts so 
no matter who you log in as, you will always be 'sshd'.


>Trying around with UsePrivilegeSeperation i had trouble starting the
>service at all. (complained about wrong privileges of /var/empty)


If you start changing the user that 'sshd' runs as, you're going to need
to be careful about resetting file ownership on many files and directories
that 'sshd' and 'ssh' use.  It isn't recommended that you run 'sshd' as 
any user other than SYSTEM (unless you're running on W2K3 - see the openssh
README for details on running on that platform).  At this point, you're
probably best off removing 'openssh' from your system, cleaning up any
leftover files, and reinstalling, using the install scripts and directions
provided with the package.  If you're still have problems, we need to know
the steps you took, any messages you got, log files generated, configuration 
file settings, etc.  But keep in mind you can find out allot about what 
'sshd' and 'ssh' are doing by running them with verbosity/debugging turned 
on.  See the man pages for details.



--
Larry Hall                              http://www.rfk.com
RFK Partners, Inc.                      (508) 893-9779 - RFK Office
838 Washington Street                   (508) 893-9889 - FAX
Holliston, MA 01746                     


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/