From: Jarek C. <yaro_29@hotmail.com>
To: cygwin@cygwin.com
Subject: Problems with ssh connection
Date: Mon, 17 Aug 2015 19:39:00 -0000 [thread overview]
Message-ID: <BLU436-SMTP8C98370D51206FDE669BD9E790@phx.gbl> (raw)
I have Cygwin installed on a couple of servers in a domain environment.
Of all machines regular user accounts can ssh to only one box.
Once installed I configured Cygwin using the following in a .bat file.
c:\cygwin\bin\bash --login -c "chmod +r /etc/passwd"
c:\cygwin\bin\bash --login -c "chmod u+w /etc/passwd"
c:\cygwin\bin\bash --login -c "chmod +r /etc/group"
c:\cygwin\bin\bash --login -c "chmod u+w /etc/group"
c:\cygwin\bin\bash --login -c "chown -R domain_account /var/empty"
c:\cygwin\bin\bash --login -c "chmod 755 /var/empty"
c:\cygwin\bin\bash --login -c "chown domain_account /etc/ssh*"
c:\cygwin\bin\bash --login -c "chmod 755 /var/"
c:\cygwin\bin\bash --login -c "touch /var/log/sshd.log"
c:\cygwin\bin\bash --login -c "chown domain_account /var/log/sshd.log"
c:\cygwin\bin\bash --login -c "chmod 664 /var/log/sshd.log"
c:\cygwin\bin\bash --login -c "editrights -l -u domain_account"
c:\cygwin\bin\bash --login -c "editrights -a
SeAssignPrimaryTokenPrivilege -u domain_account"
c:\cygwin\bin\bash --login -c "editrights -a SeCreateTokenPrivilege -u
domain_account"
c:\cygwin\bin\bash --login -c "editrights -a SeTcbPrivilege -u
domain_account"
c:\cygwin\bin\bash --login -c "editrights -a SeServiceLogonRight -u
domain_account"
c:\cygwin\bin\bash --login -c "editrights -l -u domain_account"
c:\cygwin\bin\bash --login -c "/bin/ssh-host-config -y -c ntsec -u
domain_account -w “password"
Somehow the permissions on the sshd_config file are diferent on the box
where the sftp connection works
-rw-r--r-- 1 my_domain_account root 3679 Jul 24 12:44 /etc/sshd_config
where on all others I see
-rw-r--r-- 1 domain_account Administrators 3584 Jul 26 20:51
/etc/sshd_config
where the domain_account is the account under which the Cygwin service
is running.
When checking NTFS permissions I see in both cases the domain_account as
the owner.
I read somewhere that I need to run chown root:system /etc/password to
fix the permissions
but the account reports as invalid. Same if I try just root or just system.
Am I even close focusing on the permissions of sshd_config? No idea why
they're different.
I think I used the same method on all servers but there were not
installed at the same time so it's possible I messed something up. I
don't want to break the working box keeping it as a reference. On others
I noticed that a regular domain user can connect when their accounts get
added to local admins which is what I would like to avoid.
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
next reply other threads:[~2015-08-17 19:39 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-17 19:39 Jarek C. [this message]
[not found] <55D2385F.9000303@hotmail.com>
2015-08-19 19:59 ` Jarek C.
2015-09-02 17:43 ` Jarek C.
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=BLU436-SMTP8C98370D51206FDE669BD9E790@phx.gbl \
--to=yaro_29@hotmail.com \
--cc=cygwin@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).