Seteuid "operation not permitted" error when using LSA for sshd

Seteuid "operation not permitted" error when using LSA for sshd

[Mark Pattie]

Hi all,

I have installed Cygwin and am running sshd successfully. The
permission required for the sshd service account "create a token
object" is not permitted to be granted to any accounts in my
organization. As such I have decided to use LSA based on Method 2 on
the following page: http://cygwin.com/cygwin-ug-net/ntsec.html.

I had succesfully tested ssh authentication with a public/private
certificate pair prior to running /usr/bin/cyglsa-config to install
LSA. I ran the script, removed the "create a token object" permission
and rebooted the server. Now I cannot authenticate using the
public/private keys. I receive the following error in the Windows
event log:

sshd: PID 2780: fatal: seteuid 1003: Operation not permitted

When I add the permission back to the service account and restart sshd
the public/private key authentication works again

Any help would be great

Thanks,
Mark

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Seteuid "operation not permitted" error when using LSA for sshd

[Corinna Vinschen]

On May 25 10:15, Mark Pattie wrote:
> Hi all,
> 
> I have installed Cygwin and am running sshd successfully. The
> permission required for the sshd service account "create a token
> object" is not permitted to be granted to any accounts in my
> organization. As such I have decided to use LSA based on Method 2 on
> the following page: http://cygwin.com/cygwin-ug-net/ntsec.html.
> 
> I had succesfully tested ssh authentication with a public/private
> certificate pair prior to running /usr/bin/cyglsa-config to install
> LSA. I ran the script, removed the "create a token object" permission
> and rebooted the server. Now I cannot authenticate using the
> public/private keys. I receive the following error in the Windows
> event log:
> 
> sshd: PID 2780: fatal: seteuid 1003: Operation not permitted
> 
> When I add the permission back to the service account and restart sshd
> the public/private key authentication works again
> 
> Any help would be great

Does the account have TCB rights?  That's required to run LSA auth.
Same for method 3, btw.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Seteuid "operation not permitted" error when using LSA for sshd

[Mark Pattie]

Thanks for responding so quickly.

In the security log I can see it has been assigned the privilege
SeTcbPrivilege. Security log entry:

Special privileges assigned to new logon.

Subject:
	Security ID:		BUILDSERVER\cygwin_sshd
	Account Name:		cygwin_sshd
	Account Domain:		BUILDSERVER
	Logon ID:		0x12c1c4

Privileges:		SeAssignPrimaryTokenPrivilege
			SeTcbPrivilege
			SeSecurityPrivilege
			SeTakeOwnershipPrivilege
			SeLoadDriverPrivilege
			SeBackupPrivilege
			SeRestorePrivilege
			SeDebugPrivilege
			SeSystemEnvironmentPrivilege
			SeImpersonatePrivilege

In User Rights Assignment it has the following privileges:

Act as part of the operating system
Adjust memory quotas for a process
Logon as a service
Replace a process level token

Thanks,
Mark


>Does the account have TCB rights?  That's required to run LSA auth.
>Same for method 3, btw.
>
>
>Corinna
>
>--
>Corinna Vinschen                  Please, send mails regarding Cygwin to
>Cygwin Project Co-Leader          cygwin AT cygwin DOT com
>Red Hat
>
>On Fri, May 25, 2012 at 10:15 AM, Mark Pattie <markpattie@gmail.com> wrote:
> Hi all,
>
> I have installed Cygwin and am running sshd successfully. The
> permission required for the sshd service account "create a token
> object" is not permitted to be granted to any accounts in my
> organization. As such I have decided to use LSA based on Method 2 on
> the following page: http://cygwin.com/cygwin-ug-net/ntsec.html.
>
> I had succesfully tested ssh authentication with a public/private
> certificate pair prior to running /usr/bin/cyglsa-config to install
> LSA. I ran the script, removed the "create a token object" permission
> and rebooted the server. Now I cannot authenticate using the
> public/private keys. I receive the following error in the Windows
> event log:
>
> sshd: PID 2780: fatal: seteuid 1003: Operation not permitted
>
> When I add the permission back to the service account and restart sshd
> the public/private key authentication works again
>
> Any help would be great
>
> Thanks,
> Mark

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Seteuid "operation not permitted" error when using LSA for sshd

[Mark Pattie]

I have now removed Cygwin completely from the server and reinstalled.
I am using the default service account that Cygwin creates for sshd
(cyg_server), removed the "create a token object" permission for this
account and configured the LSA package but have the same problem. Any
advice on troubleshooting this issue further or any insight would be
great.

Thanks,
Mark

On Mon, May 28, 2012 at 10:10 AM, Mark Pattie <markpattie@gmail.com> wrote:
> Thanks for responding so quickly.
>
> In the security log I can see it has been assigned the privilege
> SeTcbPrivilege. Security log entry:
>
> Special privileges assigned to new logon.
>
> Subject:
>        Security ID:            BUILDSERVER\cygwin_sshd
>        Account Name:           cygwin_sshd
>        Account Domain:         BUILDSERVER
>        Logon ID:               0x12c1c4
>
> Privileges:             SeAssignPrimaryTokenPrivilege
>                        SeTcbPrivilege
>                        SeSecurityPrivilege
>                        SeTakeOwnershipPrivilege
>                        SeLoadDriverPrivilege
>                        SeBackupPrivilege
>                        SeRestorePrivilege
>                        SeDebugPrivilege
>                        SeSystemEnvironmentPrivilege
>                        SeImpersonatePrivilege
>
> In User Rights Assignment it has the following privileges:
>
> Act as part of the operating system
> Adjust memory quotas for a process
> Logon as a service
> Replace a process level token
>
> Thanks,
> Mark
>
>
>>Does the account have TCB rights?  That's required to run LSA auth.
>>Same for method 3, btw.
>>
>>
>>Corinna
>>
>>--
>>Corinna Vinschen                  Please, send mails regarding Cygwin to
>>Cygwin Project Co-Leader          cygwin AT cygwin DOT com
>>Red Hat
>>
>>On Fri, May 25, 2012 at 10:15 AM, Mark Pattie <markpattie@gmail.com> wrote:
>> Hi all,
>>
>> I have installed Cygwin and am running sshd successfully. The
>> permission required for the sshd service account "create a token
>> object" is not permitted to be granted to any accounts in my
>> organization. As such I have decided to use LSA based on Method 2 on
>> the following page: http://cygwin.com/cygwin-ug-net/ntsec.html.
>>
>> I had succesfully tested ssh authentication with a public/private
>> certificate pair prior to running /usr/bin/cyglsa-config to install
>> LSA. I ran the script, removed the "create a token object" permission
>> and rebooted the server. Now I cannot authenticate using the
>> public/private keys. I receive the following error in the Windows
>> event log:
>>
>> sshd: PID 2780: fatal: seteuid 1003: Operation not permitted
>>
>> When I add the permission back to the service account and restart sshd
>> the public/private key authentication works again
>>
>> Any help would be great
>>
>> Thanks,
>> Mark

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Seteuid "operation not permitted" error when using LSA for sshd

[Corinna Vinschen]

On May 29 12:41, Mark Pattie wrote:
> I have now removed Cygwin completely from the server and reinstalled.
> I am using the default service account that Cygwin creates for sshd
> (cyg_server), removed the "create a token object" permission for this
> account and configured the LSA package but have the same problem. Any
> advice on troubleshooting this issue further or any insight would be
> great.

There's nothing you can do.  I have tested this scenario and it turns
out that it's a problem with the cyglsa DLL itself, not even related
to the permissions, but a generic problem.

I have fixed that in CVS (tested on W7 and XP).  The next developer
snapshot (I will create one today or tomorrow) on
http://cygwin.com/snapshots/ will contain this patch.  Just rip the
cyglsa.dll file from the cygwin-inst-YYYYMMDD.tar.bz2 package, copy
it to the /bin/cyglsa directory and reboot.  This should hopefully
fix your problem.  Please report back.


Thanks,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Seteuid "operation not permitted" error when using LSA for sshd

[David Koppenhofer]

Corinna Vinschen <corinna-cygwin <at> cygwin.com> writes:
> 
> On May 29 12:41, Mark Pattie wrote:
> > I have now removed Cygwin completely from the server and reinstalled.
> > I am using the default service account that Cygwin creates for sshd
> > (cyg_server), removed the "create a token object" permission for this
> > account and configured the LSA package but have the same problem. Any
> > advice on troubleshooting this issue further or any insight would be
> > great.
> 
> There's nothing you can do.  I have tested this scenario and it turns
> out that it's a problem with the cyglsa DLL itself, not even related
> to the permissions, but a generic problem.
> 
> I have fixed that in CVS (tested on W7 and XP).  The next developer
> snapshot (I will create one today or tomorrow) on
> http://cygwin.com/snapshots/ will contain this patch.  Just rip the
> cyglsa.dll file from the cygwin-inst-YYYYMMDD.tar.bz2 package, copy
> it to the /bin/cyglsa directory and reboot.  This should hopefully
> fix your problem.  Please report back.
> 
> Thanks,
> Corinna
> 

Hi Corinna,

I'm trying to get Cygwin sshd working with public key authentication on a Server
2008R2 box.  I don't have the "create a token object" permission either, so
followed the information in this thread to try to get LSA working:
I ran the /usr/bin/cyglsa-config script, downloaded the
cygwin-inst-20120530.tar.bz2 snapshot, and extracted the cyglsa64.dll file to
/bin/cyglsa/

I rebooted the server, made sure the sshd service was running, but I still
receive the "sshd: PID 3064: fatal: seteuid 1000: Operation not permitted" error.

Is there anything else I can try?

Thanks,
David




--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Seteuid "operation not permitted" error when using LSA for sshd

[Corinna Vinschen]

On Aug  1 18:43, David Koppenhofer wrote:
> Corinna Vinschen <corinna-cygwin <at> cygwin.com> writes:
> I'm trying to get Cygwin sshd working with public key authentication on a Server
> 2008R2 box.  I don't have the "create a token object" permission either, so
> followed the information in this thread to try to get LSA working:
> I ran the /usr/bin/cyglsa-config script, downloaded the
> cygwin-inst-20120530.tar.bz2 snapshot, and extracted the cyglsa64.dll file to
> /bin/cyglsa/

Why did you install cyglsa64 from the old snapshot?  The changes to
cyglsa are supposed to be in the Cygwin 1.7.16 package anyway.  I just
checked the cyglsa64.dll binary and it looks ok.  I installed Cygwin
1.7.16 on my 2008R2 test machine, ran cyglsa-config, rebooted, and
started the sshd service, and it works for me.

> I rebooted the server, made sure the sshd service was running, but I still
> receive the "sshd: PID 3064: fatal: seteuid 1000: Operation not permitted" error.

Does the service account have TCB privileges?  That's a hard requirement
for the user switch.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Seteuid "operation not permitted" error when using LSA for sshd

[David Koppenhofer]

> Why did you install cyglsa64 from the old snapshot?  The changes to
> cyglsa are supposed to be in the Cygwin 1.7.16 package anyway.

Because I was grasping for straws, and didn't know the fix was in the current
package.


> > I rebooted the server, made sure the sshd service was running, but I still
> > receive the "sshd: PID 3064: fatal: seteuid 1000: Operation not permitted"
error.
> 
> Does the service account have TCB privileges?  That's a hard requirement
> for the user switch.

Ah ha!  The service account does not have the "Act as part of the operating
system" permission.

However, I ended up asking the network admin to give "Create a token object" to
the service account.  Since key authentication started working after that, I'll
just leave things as they are.

Thanks for your help.

David



--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Seteuid "operation not permitted" error when using LSA for sshd

[Corinna Vinschen]

On Aug  2 18:39, David Koppenhofer wrote:
> > Why did you install cyglsa64 from the old snapshot?  The changes to
> > cyglsa are supposed to be in the Cygwin 1.7.16 package anyway.
> 
> Because I was grasping for straws, and didn't know the fix was in the current
> package.
> 
> 
> > > I rebooted the server, made sure the sshd service was running, but I still
> > > receive the "sshd: PID 3064: fatal: seteuid 1000: Operation not permitted"
> error.
> > 
> > Does the service account have TCB privileges?  That's a hard requirement
> > for the user switch.
> 
> Ah ha!  The service account does not have the "Act as part of the operating
> system" permission.
> 
> However, I ended up asking the network admin to give "Create a token object" to
> the service account.  Since key authentication started working after that, I'll
> just leave things as they are.

If the restrictions of this mode, especially in terms of network shares,
are no problem for you, that's fine.  Otherwise I'd like to point out
http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple