This is the mail archive of the
cygwin@cygwin.com
mailing list for the Cygwin project.
Re: Administrator lacking super-user privileges on cygwin installation
- From: Larry Hall <cygwin-lh at cygwin dot com>
- To: Mark Priest <mark dot priest at cox dot net>
- Cc: cygwin at cygwin dot com, Myk Melez <myk at aol dot net>
- Date: Fri, 01 Aug 2003 11:26:07 -0400
- Subject: Re: Administrator lacking super-user privileges on cygwin installation
- References: <3F299C67.1070700@aol.net> <3F29C4F1.8010805@cygwin.com> <02e101c357e0$82350730$6902a8c0@markonius>
- Reply-to: cygwin at cygwin dot com
Mark,
Why do you think that SYSTEM should be the owner of files under
/home/<some-user>/.ssh? This would be true if you set up ssh for
the SYSTEM user but there really little point in that. Files under
~/.ssh should be owned by the user. These files are created by
ssh-user-config.
Are you referring to the /etc/ssh* files? These are created by
ssh-host-config and are owned by SYSTEM. However, these aren't the
files that are causing Myk problems (AFAICS from the information
provided).
Playing with the $CYGWIN flags sshd uses is an interesting idea. It's
possible 'nontsec' might help, although it eliminates the security of the
private keys so it's not recommended. I've actually found that the only
combination of 'ntsec' or 'nontsec' and 'ntea' that makes any difference
is 'nontsec' and 'ntea'. With these two options, sshd won't event start
(Win32 error 1062: The service has not been started.) But I have
'StrictModes' set in my /etc/sshd_config. Interestingly, just using
'nontsec' doesn't cause the service to fail to start. I must have some
permission wrong somewhere. ;-)
FWIW, unless Myk has set some very different values for the $CYGWIN
that 'sshd' uses, I don't think this is an issue. But it would be
helpful if Myk posted this information as well, if the goal is to get
some useful feedback from this list.
Larry
Mark Priest wrote:
Myk,
I assume you are using Openssh? If you installed Openssh as a Windows
service then SYSTEM is the owner of the files, otherwise the owner is
whatever user did the installation. This is, of course, assuming that you
used the ssh-host-config script in /bin. However, I have installed it both
ways and I have not received the error you are describing. You might want
to check the value of the CYGWIN environment variable. By default ntsec is
turned on but if that variable includes "nontsec" or "ntea" then that might
be what is causing your problem.
-Mark
----- Original Message -----
From: "Larry Hall" <cygwin-lh@cygwin.com>
To: "Myk Melez" <myk@aol.net>
Cc: <cygwin@cygwin.com>
Sent: Thursday, July 31, 2003 9:40 PM
Subject: Re: Administrator lacking super-user privileges on cygwin
installation
Myk Melez wrote:
I have two machines with what look like identical cygwin installations
on them, but the Administrator account on one of them doesn't have
super-user privileges. This causes sshd not to have access to
/home/some-user/.ssh (which is restricted to only "some-user") and thus
prevents key-based authentication. Regular password-based
authentication works, so the problem isn't sshd itself. Logging in as
the Administrator and doing "ls /home/some-user/.ssh/*" gives me a
"permission denied" error, which also confirms that the problem is with
the permissions of the Administrator account and not sshd.
The Administrator NT accounts (and Administrators NT groups) seem
identical on the two machines, as are permissions for the C:\cygwin
directory. Both systems had old cygwin installations on them that we
blew away before installing the latest. What am I missing?
1. SYSTEM is the account that sshd runs as, not administrator. It's
the only default account that has permissions to switch user contexts
without authenticating the new user through Windows password mechanism
(for NT/W2K/XP).
2. Only the owner of the private key files in .ssh should have permissions
to access these files. Public key files should be readable by anyone.
You'll want to check the permissions on these files relative to the
above.
3. Generally, you should read <http://cygwin.com/problems.html>.
--
Larry Hall http://www.rfk.com
RFK Partners, Inc. (508) 893-9779 - RFK Office
838 Washington Street (508) 893-9889 - FAX
Holliston, MA 01746
#################################################################
#################################################################
#################################################################
#####
#####
#####
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#####
#####
#####
#################################################################
#################################################################
#################################################################
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/