SSHD, Cygwin and Windows 2003 : continued with user rights

Olivier ALLART olivier.allart@speeq.com
Wed Sep 17 23:18:00 GMT 2003 

Larry Hall wrote:

>Hm, I thought I was clear.  Let me try again addressing iisreset
>specifically.
>
>iisreset doesn't work in the scenario you described because it's a Microsoft tool which knows nothing of the Cygwin environment.  Cygwin's ssh using 
>pubkey authentication doesn't authenticate the user with Windows.  So if
>you need certain credentials to perform some operation in Windows, pubkey
>authentication won't provide them.  
>
Ok. I tought ssh offered some mechanism trough cygwin to authenticate as 
if under windows ..
That means the 'administrator' account via ssh pubkey is not 
'administrator' then ..

>If you need to run iisreset through ssh,
>you will need to use password authentication, which takes the password for 
>the user 'administrator' and authenticates for Windows with it.  You should
>then be able to use iisreset (if authentication is really the only thing
>getting in the way with pubkey).
>
yes it is, since it is working with ssh connection (using password on 
login) when sshd runs under 'local system'

>I don't know what are the "*some commands*" you're speaking of, but if they 
>are Cygwin utilities, then I think the answer is obvious.  If they are not 
>Cygwin utilities, then I would have to say that they don't require special 
>privileges to run.  This is actually true for most utilities.  But if this 
>is still confusing for you, you'll have to provide specifics.  However, I 
>think you'll find that it's likely that anything that works for you in ssh 
>using pubkey authentication falls into one of the two groups of utilities I 
>mentioned.
>
and you are probably right.
other commands are for example 'wlbs' (or nlb).
My problem is : I want to execute some remote (but encrypted) commands 
using both wlbs and iisreset.
wlbs works fine from remote, but so is not for IISreset.
I thought authentication using ssh and public key would allow me to 
perform the iisreset command..
But from what you explained; it is clear that whatever user logs in with 
pubkey, it won't be considered as 'administrator'
It looks like iisreset can only be performed *locally* by *local 
administrator*, which is dumb in the situation where you are from 
remote. Only other remote control would be 'telnet' but hey, ms telnet 
can't pertform remote commands.

Last question; if I provided a pubkey in the 'administrator' (cygwin) 
environment, who am I for windows ?

Thank you very much.
Next I guess I'll go look for some tip on how to unlock iisreset so it 
can be used by whatever admin and not just local ..

>
>HTH,
>
>Larry
>
>
>At 02:56 PM 9/17/2003, Olivier ALLART you wrote:
>
>  
>
>>Thank you for the details, but then, why *some commands* work and not others ?
>>And more specifically, how can I make *this command* work ?
>>
>>
>>Larry Hall wrote:
>>
>>    
>>
>>>I think you missed the fact that pubkey authentication does impersonation,
>>>not Windows-style authentication.  So Windows apps won't recognize the pubkey
>>>authentication as providing permissions to run restricted programs.  You'll
>>>have to use password authentication if you want Windows to recognize the
>>>user you've become via ssh.  You can find all sorts of discussion on the difference between pubkey and password authentication for ssh in the email archives if you're interested.
>>>
>>>      
>>>
>>At 12:40 PM 9/17/2003, Olivier ALLART you wrote:
>>
>>    
>>
>>>Following Mark J de Jong 's step by step howto (see end of mail for some add-ons), I can now effectively log in with pkey method (that is, no password) using the 'administrator' user name.
>>>'whoami' returns 'administrator', however asking for a command such as IISRESET returns the error 'you are not a local administrator of this machine...', which means the rights management has failed somewhere.
>>>
>>>      
>>>
>>
>>
>>    
>>
>>>--
>>>Larry Hall                              http://www.rfk.com
>>>RFK Partners, Inc.                      (508) 893-9779 - RFK Office
>>>838 Washington Street                   (508) 893-9889 - FAX
>>>Holliston, MA 01746                     
>>>
>>>
>>>.
>>>
>>>
>>>      
>>>
>>
>>--
>>Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>>Problem reports:       http://cygwin.com/problems.html
>>Documentation:         http://cygwin.com/docs.html
>>FAQ:                   http://cygwin.com/faq/
>>    
>>
>
>
>--
>Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>Problem reports:       http://cygwin.com/problems.html
>Documentation:         http://cygwin.com/docs.html
>FAQ:                   http://cygwin.com/faq/
>
>
>.
>
>  
>



--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

More information about the Cygwin mailing list