ssh login no longer allowed by local accounts other than main administrator account after taking machine off domain
Yuki Ishibashi
yuki.ishibashi@temboo.com
Wed Aug 7 16:55:00 GMT 2013
I wanted to thank Larry Hall again (and Linda also for her original post).
The suggestions you had Larry were helpful, they gave me an idea for
what to do... the suggestions to change the profile and the shell
didn't actually fix the issue, but based on your recommendation to use
ssh-host-config, I decided to completely remove any references to
sshd, cyg_server in the Windows users and mkpasswd, "CYGWIN sshd"
service, and run ssh-host-config over again, having it create from
scratch those users / accounts / permissions, and that's what
ultimately ended up working.
I followed the defaults from the following link to setup ssh using
ssh-host-config:
http://www.howtogeek.com/howto/41560/how-to-get-ssh-command-line-access-to-windows-7-using-cygwin/
Once I went through ssh-host-config again and recreated all of the
accounts / permissions ssh worked again properly.
I would like to thank the cygwin maillist people, I appreciate the
generous response and encouragement you have given, and will try to
respond to that year-old marco post if he's still having problems....
Thanks all!
From: "Larry Hall (Cygwin)" <reply-to-list-only-lh at cygwin dot com>
To: cygwin at cygwin dot com
Date: Wed, 07 Aug 2013 00:00:14 -0400
Subject: Re: ssh login no longer allowed by local accounts other than
main administrator account after taking machine off domain
References: <CABSJGg3HywZZrXNfQHmivJOH0GrySZSBxA95XyjPmcngF6EHFA at
mail dot gmail dot com>
Reply-to: cygwin at cygwin dot com
________________________________
On 8/6/2013 6:50 PM, Yuki Ishibashi wrote:
(Sorry if this goes to the wrong place, I'm a little unfamiliar to the
cygwin mailing list and its usage)
I wanted to thank Linda and Larry both for their responses to my
original post on Aug 2nd.
Linda: Process Monitor was a helpful suggestion, however there are as
you have said probably far too many system process messages, and even
trying to filter for what I wanted has proved not helpful....
Larry: I did have the new users have ownership of their own /home/user
folders...
What about the files and dot files underneath? Like I said, I suspect
that scripts that are being run as part of the login are actually the
cause of the "permission denied" message. You need to look at what those
scripts are and what they are running. You may find that changing your
shell to '/bin/sh' in your '/etc/passwd' file may help avoid the problem
by skipping some of these init scripts. A different alternative is to try
adding 'set -x' to '/etc/profile'. This will spit out every line of
every script run on login, which should help you localize where the
"permission denied" message comes from.
also /bin/bash.exe has 755 access, with user:old_admin group:Domain Users.
Expected but you might as well change the group ownership to 513 (None).
You could also change the user to something that exists on the local
system. In my case, it's my user since I'm the one that installed
Cygwin in the first place. :-)
The problem looks most similar to what the user marco atzeri posted here:
http://comments.gmane.org/gmane.os.cygwin/134144
, (unfortunately there was no resolution)
Perhaps what might help me is:
a) what are the standard permissions *supposed* to be on everything on
the cygwin terminal-side (i.e. 'ls -l /etc/*', etc),
In general, things will default to be owned by the user that installed
them and group 513 for a local user and 10513 for a domain user.
Permissions are the most critical though. Those tend to default to
644 or 755, depending in whether the file is meant to be executable
or not. But there are programs, like sshd, that require specific
ownership and permissions to work properly. As I mentioned, ssh-host-config
takes care of setting these permissions and ownerships but you may need to
review the settings by hand as I'm not sure if the script will change
ownerships/permissions of all the files it requires from a domain setup
to a local one.
b) what account should the "CYGWIN sshd" service be running as in the
Windows side
Depends what version of Windows you're running (did you say?) For XP it
defaults to SYSTEM. On any later O/S, it should be cyg_server. Again,
ssh-host-config will handle this for you.
c) what group should local users be in (i.e. 'mkpasswd -l' and
'mkgroup 'l') - currently the local users are in group 513 (in mkgroup
-l that's "None"), sounds weird but that's what it was before I took
it off the domain, and it was working earlier.
513/None is fine. I'm in 513, 545, and 1001. I don't believe 1001 is
significant.
d) Do i need to re-sync the mkpasswd -l with /etc/passwd and mkgroup
-l with /etc/group ? I had previously appended the newly created local
accounts (with associated SSIDs) to /etc/passwd using something like
"mkpasswd -l | grep newusername >> etc/passwd" (and something similar
for the /etc/group)
That should be enough to add 'newusername'. I assume you mean
'/etc/passwd' above. If you care to keep the previous contents
of these files, what you did is fine. Otherwise, just create new
files:
mkpasswd -l -c >/etc/passwd
mkgroup -l -c >/etc/group
I'm running into a brick wall here and not sure how I should approach
this... any general advice even would be appreciated, thanks so much!
If all else fails or you just get tired of fiddling with the tuning
knobs, move your current installation aside, follow the instructions
in this FAQ - <http://cygwin.com/faq.html#faq.setup.uninstall-all>,
reinstall, and reconfigure sshd (run ssh-host-config). If that doesn't
solve the permission problems, then you may be in the same boat as
Macro (i.e. BLODA). You'll have to start looking at the possibilities
there.
--
Larry
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
More information about the Cygwin
mailing list