From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 23559 invoked by alias); 18 Sep 2003 14:26:21 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 23544 invoked from network); 18 Sep 2003 14:26:20 -0000 Received: from unknown (HELO hotmail.com) (64.4.21.66) by sources.redhat.com with SMTP; 18 Sep 2003 14:26:20 -0000 Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Thu, 18 Sep 2003 07:26:15 -0700 Received: from 68.101.155.172 by lw14fd.law14.hotmail.msn.com with HTTP; Thu, 18 Sep 2003 14:26:15 GMT X-Originating-IP: [68.101.155.172] X-Originating-Email: [karlm30@hotmail.com] From: "Karl M" To: cygwin@cygwin.com Bcc: Subject: Re: SSHD, Cygwin and Windows 2003 : continued with user rights Date: Thu, 18 Sep 2003 14:39:00 -0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 18 Sep 2003 14:26:15.0941 (UTC) FILETIME=[D1A57350:01C37DF0] X-SW-Source: 2003-09/txt/msg01211.txt.bz2 Hi All... Quite a while ago (12 to 18 months?) before Cygwin OpenSSH could impersonate a user, there was some experimental activity in OpenSSH to allow multiple authentication methods. There was a patch to add this on the OpenSSH archives. I experimented with this to require public key followed by password authentication. This got me the security of a public key authentication and also got me a password to change user ID. When Cygwin added the impersonate user ability, I dropped this activity. ...Karl >From: Olivier ALLART >To: Cygwin List >Subject: Re: SSHD, Cygwin and Windows 2003 : continued with user rights >Date: Thu, 18 Sep 2003 01:22:48 +0200 > >Larry Hall wrote: > >>Hm, I thought I was clear. Let me try again addressing iisreset >>specifically. >> >>iisreset doesn't work in the scenario you described because it's a >>Microsoft tool which knows nothing of the Cygwin environment. Cygwin's >>ssh using pubkey authentication doesn't authenticate the user with >>Windows. So if >>you need certain credentials to perform some operation in Windows, pubkey >>authentication won't provide them. >> >Ok. I tought ssh offered some mechanism trough cygwin to authenticate as if >under windows .. >That means the 'administrator' account via ssh pubkey is not >'administrator' then .. > >>If you need to run iisreset through ssh, >>you will need to use password authentication, which takes the password for >>the user 'administrator' and authenticates for Windows with it. You >>should >>then be able to use iisreset (if authentication is really the only thing >>getting in the way with pubkey). >> >yes it is, since it is working with ssh connection (using password on >login) when sshd runs under 'local system' > >>I don't know what are the "*some commands*" you're speaking of, but if >>they are Cygwin utilities, then I think the answer is obvious. If they >>are not Cygwin utilities, then I would have to say that they don't require >>special privileges to run. This is actually true for most utilities. But >>if this is still confusing for you, you'll have to provide specifics. >>However, I think you'll find that it's likely that anything that works for >>you in ssh using pubkey authentication falls into one of the two groups of >>utilities I mentioned. >> >and you are probably right. >other commands are for example 'wlbs' (or nlb). >My problem is : I want to execute some remote (but encrypted) commands >using both wlbs and iisreset. >wlbs works fine from remote, but so is not for IISreset. >I thought authentication using ssh and public key would allow me to perform >the iisreset command.. >But from what you explained; it is clear that whatever user logs in with >pubkey, it won't be considered as 'administrator' >It looks like iisreset can only be performed *locally* by *local >administrator*, which is dumb in the situation where you are from remote. >Only other remote control would be 'telnet' but hey, ms telnet can't >pertform remote commands. > >Last question; if I provided a pubkey in the 'administrator' (cygwin) >environment, who am I for windows ? > >Thank you very much. >Next I guess I'll go look for some tip on how to unlock iisreset so it can >be used by whatever admin and not just local .. > >> >>HTH, >> >>Larry >> >> >>At 02:56 PM 9/17/2003, Olivier ALLART you wrote: >> >> >> >>>Thank you for the details, but then, why *some commands* work and not >>>others ? >>>And more specifically, how can I make *this command* work ? >>> >>> >>>Larry Hall wrote: >>> >>> >>> >>>>I think you missed the fact that pubkey authentication does >>>>impersonation, >>>>not Windows-style authentication. So Windows apps won't recognize the >>>>pubkey >>>>authentication as providing permissions to run restricted programs. >>>>You'll >>>>have to use password authentication if you want Windows to recognize the >>>>user you've become via ssh. You can find all sorts of discussion on the >>>>difference between pubkey and password authentication for ssh in the >>>>email archives if you're interested. >>>> >>>> >>>> >>>At 12:40 PM 9/17/2003, Olivier ALLART you wrote: >>> >>> >>> >>>>Following Mark J de Jong 's step by step howto (see end of mail for some >>>>add-ons), I can now effectively log in with pkey method (that is, no >>>>password) using the 'administrator' user name. >>>>'whoami' returns 'administrator', however asking for a command such as >>>>IISRESET returns the error 'you are not a local administrator of this >>>>machine...', which means the rights management has failed somewhere. >>>> >>>> >>>> >>> >>> >>> >>> >>>>-- >>>>Larry Hall http://www.rfk.com >>>>RFK Partners, Inc. (508) 893-9779 - RFK Office >>>>838 Washington Street (508) 893-9889 - FAX >>>>Holliston, MA 01746 >>>> >>>> >>>>. >>>> >>>> >>>> >>>> >>> >>>-- >>>Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple >>>Problem reports: http://cygwin.com/problems.html >>>Documentation: http://cygwin.com/docs.html >>>FAQ: http://cygwin.com/faq/ >>> >>> >> >> >>-- >>Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple >>Problem reports: http://cygwin.com/problems.html >>Documentation: http://cygwin.com/docs.html >>FAQ: http://cygwin.com/faq/ >> >> >>. >> >> >> > > > >-- >Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple >Problem reports: http://cygwin.com/problems.html >Documentation: http://cygwin.com/docs.html >FAQ: http://cygwin.com/faq/ > _________________________________________________________________ Get a FREE computer virus scan online from McAfee. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/