Web lists-archives.com

Re: cygwin 3.0.1-1 breaks my sshd install




On Feb 20 23:43, Corinna Vinschen wrote:
> On Feb 20 23:36, Corinna Vinschen wrote:
> > On Feb 20 22:49, Houder wrote:
> > > On Wed, 20 Feb 2019 21:27:22, Andy Moreton  wrote:
> > > 
> > > > I've seen a similar failure, on a domain-joined Windows 10 box running
> > > > cygsshd using a local cyg_server user account. I've fixed it by:
> > > > 1) Open the "Computer Management" app
> > > >    Select "Services and Applications", then "Services", and
> > > >    choose the cygsshd service from the list.
> > > > 2) Stop the service
> > > > 3) Select the "Log On" tab, choose "Local System Account" and click OK.
> > > > 4) Restart the service.
> > > > 
> > > > This changed the account reported by "cygrunsrv -VQ" from "./cyg_server"
> > > > to "LocalSystem".
> > > 
> > > 64-@@ uname -a
> > > CYGWIN_NT-6.1 Seven 3.0.1(0.338/5/3) 2019-02-20 10:19 x86_64 Cygwin
> > > 
> > > First I replaced cygwin1.dll again w/ the last version, as you can see ...
> > > 
> > > Then I carried out you instruction ...
> > > 
> > > To my surprise it did the trick! Thank you!
> > > 
> > > Perhaps Corinna can give a hint of why the modification made the difference.
> > 
> > Actually, I can't.  I'm surprised, too, because it still runs
> > fine for me under the cyg_server account.
> 
> Actually, maybe I can.  On second thought there's a quite high
> probability that my AD cyg_server account I'm using for 10 years
> or longer, has not the same privileges as a cyg_server account
> created via ssh-host-config script.  May it works for me because
> of these extra permissions the account got during years of playing
> around with it.
> 
> I guess I have to crate another, local cyg_server account via
> ssh-host-config and try the same with that account.
> 
> Not having much time tomorrow, but at least on Friday I should
> be able to test this.

I managed it today already but I'm somewhat stumped.

I ran ssh-host-config and let the script install a new local account
"test_server" to use for the sshd service.  I started the service and
tried to login with a local account and it just worked out of the box.

However, when I tried to logon with a domain account, S4U failed since
the local account didn't have enough permissions or so.  The call to
LsaLogonUser failed with STATUS_NOT_SUPPORTED.  So with S4U sshd needs
to run under SYSTEM or a privileged domain account to allow domain
accounts to login.

But from my POV S4U is the way to go.  I'm still a bit proud that I
managed to figure the "Create user token from scratch" method out back
in 2001, but I think it's really outdated now and should not be used
anymore.  I'd hate having to enable it again generally.


Corinna

-- 
Corinna Vinschen
Cygwin Maintainer

Attachment: signature.asc
Description: PGP signature