This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Followup re: ssh error


Hello,

I just joined the list because I am having the same or similar problems that Andrew DeFaria reported on 6/2:

http://www.mail-archive.com/cygwin@cygwin.com/msg109042.html

I've read some other posts in the archive that suggest this might be a 1.7.x specific issue, but I also found the following post from 2008, with cygwin 1.5.25:

http://www.mail-archive.com/cygwin@cygwin.com/msg89149.html

In my case, I've been able to work around this issue by running sshd as LocalSystem and storing the user password in the LSA private registry area ('option 3' from http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview). I was never able to get PKI working for all use cases using an nt service running as a privileged user (local or domain). See below. 

Some background of what I've tried:

After running ssh-host-config (letting it create a privileged user to run sshd), making a /etc/passwd entry for a domain user and copying public keys into its authorized_keys file, I was able to log in using public key auth, but ONLY if I used ssh for an interactive login. If I tried to ssh <command> or scp instead, I always got some form of the following error:

   4 [main] sshd 4404 C:\cygwin\usr\sbin\sshd.exe: *** fatal error - could not load user32, Win32 error 1114

This happened with any non-interactive login from Linux -> 2003, Linux -> 2003R2, Linux -> 2000, 2003 -> 2003R2 and 2000 -> 2003R2. All the windows hosts are 32bit and are joined to a single domain. I believe this is the same problem Andrew reported with his 'seacase' machine in his post on 6/2.

I tried making my user an administrator on the machine, using a local user to log in instead of a domain user, using a domain cyg_server privilege account instead of a local one, etc. based on what I've seen suggested in the archives. In all cases, I get the above error when using pki for ssh <command> or scp. 

HOWEVER, when I started a cygwin shell as the cyg_server user and ran sshd in the foreground from the shell, I was able to ssh, ssh <command> and scp using pki without error, using both the domain and the local cyg_server accounts. So at least in my case with my testing I was only seeing the above error when running sshd as a service using these accounts. 

As mentioned at the top of my mail, at this point I think I am going to run sshd as LocalSystem and use cygserver/stored passwords for this project. 

Questions:

1. Is there any reason why sshd run as a service via cygrunsrv as a privileged user would behave any differently than sshd run in a shell as that same user?

2. Based on the setuid overview it looks like running sshd as LocalSystem with cygserver and stored passwords should be identical to running sshd as a privileged domain account for the purposes of both PKI and privilege separation. Is this correct?

3. In my case, the ssh users are all being used for automated processes and do not have high privileges on the domain. Are there any big problems with using cygserver and stored passwords vs. using a privileged domain account in this situation? Stored passwords seem like a much safer option. Am I being naive here? 

Thanks,

-Will

--
Will Saxon
Sage Software Healthcare
William.Saxon@sage.com
www.sagehealth.com

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]