This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: ssh password-less cmds to Windows 2003 don't return any output


On Jun 21 08:29, Andrew DeFaria wrote:
> The change is necessary since W2K3 tightened up security and permissions 
> on the Local System Account such that sshd would not be able to switch 
> user if it used that account. Instead it offers to create a new account 
> called sshd_server and bestow on it the required rights to switch user. 
> (I've been wondering why not bestow those rights directly to the Local 
> System Account? I mean it had them before... Obviously a security 
> decision, probably a wise one).

You'll be surprised, but on 2K3 the SYSTEM account still has all the
rights it has on previous systems.

The sad fact on 2K3 is that the SYSTEM account gets revoked the
SeCreateTokenName privilege *unconditionally* as soon as a service is
running under that account.  Unfortunately this is the privilege
necessary to allow password-less logins.

Whatever you do to the SYSTEM account, you'll not have the
SeCreateTokenName privilege in any service started under this account.
This is a Microsoft design decision to raise security.  Alas, the cygwin
mailing list is not the right place to discuss sense or nonsense of this
decision...


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]