This is the mail archive of the cygwin@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Administrator lacking super-user privileges on cygwin installation


Larry,

I realized after my post that what I said about SYSTEM was wrong.  I was
thinking of the files under /etc as you guessed.  It's difficult to figure
out what might be wrong here without some more info from Myk.  It is
possible that he ran ssh-user-config with nontsec and then changed to ntsec
later.  We would really need to see the output of getfacl on the .ssh
directory and the key files in it to understand what is going on.  It might
also help to know the contents of sshd_config.  I just noticed that I have
StrictModes set to no on my system.  Oops, I'm glad you mentioned that so I
can close that security hole. :)

-Mark

----- Original Message -----
From: "Larry Hall" <cygwin-lh@cygwin.com>
To: "Mark Priest" <mark.priest@cox.net>
Cc: <cygwin@cygwin.com>; "Myk Melez" <myk@aol.net>
Sent: Friday, August 01, 2003 11:26 AM
Subject: Re: Administrator lacking super-user privileges on cygwin
installation


> Mark,
>
> Why do you think that SYSTEM should be the owner of files under
> /home/<some-user>/.ssh?  This would be true if you set up ssh for
> the SYSTEM user but there really little point in that.  Files under
> ~/.ssh should be owned by the user.  These files are created by
> ssh-user-config.
>
> Are you referring to the /etc/ssh* files?  These are created by
> ssh-host-config and are owned by SYSTEM.  However, these aren't the
> files that are causing Myk problems (AFAICS from the information
> provided).
>
> Playing with the $CYGWIN flags sshd uses is an interesting idea.  It's
> possible 'nontsec' might help, although it eliminates the security of the
> private keys so it's not recommended.  I've actually found that the only
> combination of 'ntsec' or 'nontsec' and 'ntea' that makes any difference
> is 'nontsec' and 'ntea'.  With these two options, sshd won't event start
> (Win32 error 1062: The service has not been started.)  But I have
> 'StrictModes' set in my /etc/sshd_config.  Interestingly, just using
> 'nontsec' doesn't cause the service to fail to start.  I must have some
> permission wrong somewhere. ;-)
>
> FWIW, unless Myk has set some very different values for the $CYGWIN
> that 'sshd' uses, I don't think this is an issue.  But it would be
> helpful if Myk posted this information as well, if the goal is to get
> some useful feedback from this list.
>
> Larry
>
> Mark Priest wrote:
>
> > Myk,
> >
> > I assume you are using Openssh?  If you installed Openssh as a Windows
> > service then SYSTEM is the owner of the files, otherwise the owner is
> > whatever user did the installation.  This is, of course, assuming that
you
> > used the ssh-host-config script in /bin.  However, I have installed it
both
> > ways and I have not received the error you are describing.  You might
want
> > to check the value of the CYGWIN environment variable.  By default ntsec
is
> > turned on but if that variable includes "nontsec" or "ntea" then that
might
> > be what is causing your problem.
> >
> > -Mark
> >
> > ----- Original Message -----
> > From: "Larry Hall" <cygwin-lh@cygwin.com>
> > To: "Myk Melez" <myk@aol.net>
> > Cc: <cygwin@cygwin.com>
> > Sent: Thursday, July 31, 2003 9:40 PM
> > Subject: Re: Administrator lacking super-user privileges on cygwin
> > installation
> >
> >
> >
> >>Myk Melez wrote:
> >>
> >>
> >>>I have two machines with what look like identical cygwin installations
> >>>on them, but the Administrator account on one of them doesn't have
> >>>super-user privileges.  This causes sshd not to have access to
> >>>/home/some-user/.ssh (which is restricted to only "some-user") and thus
> >>>prevents key-based authentication.  Regular password-based
> >>>authentication works, so the problem isn't sshd itself.  Logging in as
> >>>the Administrator and doing "ls /home/some-user/.ssh/*" gives me a
> >>>"permission denied" error, which also confirms that the problem is with
> >>>the permissions of the Administrator account and not sshd.
> >>>
> >>>The Administrator NT accounts (and Administrators NT groups) seem
> >>>identical on the two machines, as are permissions for the C:\cygwin
> >>>directory.  Both systems had old cygwin installations on them that we
> >>>blew away before installing the latest.  What am I missing?
> >>
> >>
> >>1. SYSTEM is the account that sshd runs as, not administrator.  It's
> >>    the only default account that has permissions to switch user
contexts
> >>    without authenticating the new user through Windows password
mechanism
> >>    (for NT/W2K/XP).
> >>
> >>2. Only the owner of the private key files in .ssh should have
permissions
> >>    to access these files.  Public key files should be readable by
anyone.
> >>    You'll want to check the permissions on these files relative to the
> >>    above.
> >>
> >>3. Generally, you should read <http://cygwin.com/problems.html>.
> >>
> >>
> >>
> >>--
> >>Larry Hall                              http://www.rfk.com
> >>RFK Partners, Inc.                      (508) 893-9779 - RFK Office
> >>838 Washington Street                   (508) 893-9889 - FAX
> >>Holliston, MA 01746
>
>



--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]