SSHD, Cygwin and Windows 2003 : continued with user rights

Karl M karlm30@hotmail.com
Thu Sep 18 14:39:00 GMT 2003


Hi All...

Quite a while ago (12 to 18 months?) before Cygwin OpenSSH could impersonate 
a user, there was some experimental activity in OpenSSH to allow multiple 
authentication methods. There was a patch to add this on the OpenSSH 
archives.

I experimented with this to require public key followed by password 
authentication. This got me the security of a public key authentication and 
also got me a password to change user ID. When Cygwin added the impersonate 
user ability, I dropped this activity.

...Karl


>From: Olivier ALLART <olivier.allart@speeq.com>
>To: Cygwin List <cygwin@cygwin.com>
>Subject: Re: SSHD, Cygwin and Windows 2003 : continued with user rights
>Date: Thu, 18 Sep 2003 01:22:48 +0200
>
>Larry Hall wrote:
>
>>Hm, I thought I was clear.  Let me try again addressing iisreset
>>specifically.
>>
>>iisreset doesn't work in the scenario you described because it's a 
>>Microsoft tool which knows nothing of the Cygwin environment.  Cygwin's 
>>ssh using pubkey authentication doesn't authenticate the user with 
>>Windows.  So if
>>you need certain credentials to perform some operation in Windows, pubkey
>>authentication won't provide them.
>>
>Ok. I tought ssh offered some mechanism trough cygwin to authenticate as if 
>under windows ..
>That means the 'administrator' account via ssh pubkey is not 
>'administrator' then ..
>
>>If you need to run iisreset through ssh,
>>you will need to use password authentication, which takes the password for 
>>the user 'administrator' and authenticates for Windows with it.  You 
>>should
>>then be able to use iisreset (if authentication is really the only thing
>>getting in the way with pubkey).
>>
>yes it is, since it is working with ssh connection (using password on 
>login) when sshd runs under 'local system'
>
>>I don't know what are the "*some commands*" you're speaking of, but if 
>>they are Cygwin utilities, then I think the answer is obvious.  If they 
>>are not Cygwin utilities, then I would have to say that they don't require 
>>special privileges to run.  This is actually true for most utilities.  But 
>>if this is still confusing for you, you'll have to provide specifics.  
>>However, I think you'll find that it's likely that anything that works for 
>>you in ssh using pubkey authentication falls into one of the two groups of 
>>utilities I mentioned.
>>
>and you are probably right.
>other commands are for example 'wlbs' (or nlb).
>My problem is : I want to execute some remote (but encrypted) commands 
>using both wlbs and iisreset.
>wlbs works fine from remote, but so is not for IISreset.
>I thought authentication using ssh and public key would allow me to perform 
>the iisreset command..
>But from what you explained; it is clear that whatever user logs in with 
>pubkey, it won't be considered as 'administrator'
>It looks like iisreset can only be performed *locally* by *local 
>administrator*, which is dumb in the situation where you are from remote. 
>Only other remote control would be 'telnet' but hey, ms telnet can't 
>pertform remote commands.
>
>Last question; if I provided a pubkey in the 'administrator' (cygwin) 
>environment, who am I for windows ?
>
>Thank you very much.
>Next I guess I'll go look for some tip on how to unlock iisreset so it can 
>be used by whatever admin and not just local ..
>
>>
>>HTH,
>>
>>Larry
>>
>>
>>At 02:56 PM 9/17/2003, Olivier ALLART you wrote:
>>
>>
>>
>>>Thank you for the details, but then, why *some commands* work and not 
>>>others ?
>>>And more specifically, how can I make *this command* work ?
>>>
>>>
>>>Larry Hall wrote:
>>>
>>>
>>>
>>>>I think you missed the fact that pubkey authentication does 
>>>>impersonation,
>>>>not Windows-style authentication.  So Windows apps won't recognize the 
>>>>pubkey
>>>>authentication as providing permissions to run restricted programs.  
>>>>You'll
>>>>have to use password authentication if you want Windows to recognize the
>>>>user you've become via ssh.  You can find all sorts of discussion on the 
>>>>difference between pubkey and password authentication for ssh in the 
>>>>email archives if you're interested.
>>>>
>>>>
>>>>
>>>At 12:40 PM 9/17/2003, Olivier ALLART you wrote:
>>>
>>>
>>>
>>>>Following Mark J de Jong 's step by step howto (see end of mail for some 
>>>>add-ons), I can now effectively log in with pkey method (that is, no 
>>>>password) using the 'administrator' user name.
>>>>'whoami' returns 'administrator', however asking for a command such as 
>>>>IISRESET returns the error 'you are not a local administrator of this 
>>>>machine...', which means the rights management has failed somewhere.
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>
>>>>--
>>>>Larry Hall                              http://www.rfk.com
>>>>RFK Partners, Inc.                      (508) 893-9779 - RFK Office
>>>>838 Washington Street                   (508) 893-9889 - FAX
>>>>Holliston, MA 01746
>>>>
>>>>
>>>>.
>>>>
>>>>
>>>>
>>>>
>>>
>>>--
>>>Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>>>Problem reports:       http://cygwin.com/problems.html
>>>Documentation:         http://cygwin.com/docs.html
>>>FAQ:                   http://cygwin.com/faq/
>>>
>>>
>>
>>
>>--
>>Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>>Problem reports:       http://cygwin.com/problems.html
>>Documentation:         http://cygwin.com/docs.html
>>FAQ:                   http://cygwin.com/faq/
>>
>>
>>.
>>
>>
>>
>
>
>
>--
>Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>Problem reports:       http://cygwin.com/problems.html
>Documentation:         http://cygwin.com/docs.html
>FAQ:                   http://cygwin.com/faq/
>

_________________________________________________________________
Get a FREE computer virus scan online from McAfee. 
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/



More information about the Cygwin mailing list