This is the mail archive of the
mailing list for the Cygwin project.
Re: sshd on vista error "initgroups: Permission denied" (cygwin-1.7)
- From: Corinna Vinschen <corinna-cygwin at cygwin dot com>
- To: cygwin at cygwin dot com
- Date: Thu, 13 Nov 2008 11:35:43 +0100
- Subject: Re: sshd on vista error "initgroups: Permission denied" (cygwin-1.7)
- References: <firstname.lastname@example.org> <email@example.com>
- Reply-to: cygwin at cygwin dot com
On Nov 12 16:57, Herb Maeder wrote:
> On 10 Nov 2008 15:48:15 +0100, Corinna Vinschen wrote:
> Am I correct in assuming that you would need to have access to an account
> with Domain Administrator privileges in order to allow multiple domain
> users to ssh into a 1.7 vista machine?
I'm not quite sure about this. I don't claim to understand all the does
and dont's of Windows domains either.
However, I have a working result by creating a domain account with the
required permissions called cyg_server, then create a cyg_server entry
in passwd using mkpasswd, then start ssh-host-coonfig.
> And if you don't have access to such an account, the best you can do is
> fire up sshd as yourself (or perhaps one sshd per user on different ports)?
> I'm guessing that will allow you and local users to ssh in (assuming your
> domain account has local administrator access).
> Looking ahead, I suspect that this combo (sshd + 1.7 + vista + domain user)
> will be pretty common. Is there a plan for steering users in the right
> direction during the setup of sshd, or maybe giving a more descriptive
> error message?
The ssh-host-config script only covers the simpler approaches for home
users. Right now, a professional administrator for a Windows domain
will have to know a bit, or ask here.
Ideally, somebody would take a heart and
- Add more code to ssh-host-config to allow more smooth operations
in a domain environment.
- Add to the documentation to explain the problems.
But right now that won't be me.
> > 1. Yes, ssh-host-config has to be run elevated, as with all applications
> > requiring actual admin privileges. There's no way to elevate a child
> > process running in the same console window. Microsoft tweaked the
> > ShellExecute() call in shell32.dll heavily to allow the UAC stuff,
> > but neglected to allow applications using the CreateProcess() call to
> > do the same. ShellExecute is not an option to use in Cygwin processes.
> Bum deal. But thanks for the explanation. That clarifies what I was
Actually there is a way to elevate a console application which is the
manifest file. Unfortunately this only works for executables, not for
I didn't try it myself, but maybe something like this works:
$ cd /bin
$ cp bash.exe bash-elevated.exe
$ sed 's/nstall\.exe/bash-elevated.exe/g' < install.exe > bash-elevated.exe.manifest
$ sed '1s/bash/bash-elevated/' < ssh-host-config > ssh-host-config-elevated
Sometimes adding a manifest file to an executable doesn't work immediately
due to some cashing in Windows but basically this should work.
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html