This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: 1.7.1: problem with public key authentication on domain accounts


On 01/04/2010 08:29 PM, Thomas Nisbach wrote:
Larry Hall (Cygwin<reply-to-list-only-lh<at> cygwin.com> writes:


On 01/04/2010 06:18 PM, Thomas Nisbach wrote:
Bob Burger<burgerrg<at>   gmail.com>   writes:
....
Any ideas?

Are you using LSA? Have you read the security sections of the Users Guide? <http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview>


I just read a lot in the guide, since it was hardly recommended before updating to 1.7.1-1. After reading the security section I am quite sure I never runned cyglsa-config (/bin/cyglsa also does not exist).

There's probably very little reason to not go the "cyglsa" route, other than the
the fact that ssh-host-config doesn't configure 'sshd' to use it. ;-) It might even
be the panacea for all those who are used to running 'sshd' on Linux where
special permissions aren't necessary and it's common to run it as 'root'
(Administrator in Windows is the pseudo equivalent) from a command line,
at least for debugging. This has caused many a problem for these people
on Cygwin because you cannot do this and easily get it to work afterward.
You're in this boat. You either need to start over from scratch (i.e. remove
Cygwin and install again) or you need to go through 'ssh-host-config' and make
sure your permissions/ownerships are set the way it would set them.


PS: I stopped Google Desktop (known as application from BLODA list), but
this
was not the problem.

BLODA is often not removed from having an effect without uninstalling the offending package. I can't say whether that's a requirement for Google Desktop however.

There was a thread at Google (http://groups.google.com/group/Google-
Desktop_Something-Broken/browse_thread/thread/0dabf807fbdf2d7f) I
participated. We found, that in Google Desktop v5.8 the additional preloading
of DLLs into any app's memory corrupted cygrunsrv (probably at fork()).
Stopping GD and renaming the regkey
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
\Windows\AppInit_DLLs was enough to make cygrunsrv/sshd running - no
deinstallation/reboot was necessary. This was exactly what I've done this
time - even I now run GD v5.9, which operated fine with cygrunsrv/sshd until I
updated to CYGWIN v1.7.1.

Yep, that's fine. Removing the DLL injection is enough here. Deinstallation gets you that by default but isn't a requirement.

Additionally I found a problem with /var/empty permissions when using SSH
privilege separation (also worked before). Even when I chmod 711 /var/empty,
create a 'root' user and chown root:root /var/empty I get '/var/empty must be
owned by root and not group or world-writable'. I entertain suspicion that
there happened something stupid with the filesystem permissions for processes
running as SYSTEM and/or background process...

See the comments I made above about "cyglsa" and 'root'. In this case, 'root',
or its relative Windows equivalent, 'Administrators', is not what you want. 'SYSTEM'
is what you want (on XP, cygserver is what you want for later Windows versions).



-- Larry Hall http://www.rfk.com RFK Partners, Inc. (508) 893-9779 - RFK Office 216 Dalton Rd. (508) 893-9889 - FAX Holliston, MA 01746

_____________________________________________________________________

A: Yes.
> Q: Are you sure?
>> A: Because it reverses the logical flow of conversation.
>>> Q: Why is top posting annoying in email?

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]