This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: sshd on vista error "initgroups: Permission denied" (cygwin-1.7)


On Nov 12 16:57, Herb Maeder wrote:
> On 10 Nov 2008 15:48:15 +0100, Corinna Vinschen wrote:
> [...]
> Am I correct in assuming that you would need to have access to an account 
> with Domain Administrator privileges in order to allow multiple domain 
> users to ssh into a 1.7 vista machine?

I'm not quite sure about this.  I don't claim to understand all the does
and dont's of Windows domains either.

However, I have a working result by creating a domain account with the
required permissions called cyg_server, then create a cyg_server entry
in passwd using mkpasswd, then start ssh-host-coonfig.

> And if you don't have access to such an account, the best you can do is
> fire up sshd as yourself (or perhaps one sshd per user on different ports)?  
> I'm guessing that will allow you and local users to ssh in (assuming your
> domain account has local administrator access).
> 
> Looking ahead, I suspect that this combo (sshd + 1.7 + vista + domain user) 
> will be pretty common.  Is there a plan for steering users in the right
> direction during the setup of sshd, or maybe giving a more descriptive 
> error message?

The ssh-host-config script only covers the simpler approaches for home
users.  Right now, a professional administrator for a Windows domain
will have to know a bit, or ask here.

Ideally, somebody would take a heart and

- Add more code to ssh-host-config to allow more smooth operations
  in a domain environment.
- Add to the documentation to explain the problems.

But right now that won't be me.

> > 1. Yes, ssh-host-config has to be run elevated, as with all applications
> >    requiring actual admin privileges.  There's no way to elevate a child
> >    process running in the same console window.  Microsoft tweaked the
> >    ShellExecute() call in shell32.dll heavily to allow the UAC stuff,
> >    but neglected to allow applications using the CreateProcess() call to
> >    do the same.  ShellExecute is not an option to use in Cygwin processes.
> 
> Bum deal.  But thanks for the explanation.  That clarifies what I was
> seeing.

Actually there is a way to elevate a console application which is the
manifest file.  Unfortunately this only works for executables, not for
scripts.

I didn't try it myself, but maybe something like this works:

  $ cd /bin
  $ cp bash.exe bash-elevated.exe
  $ sed 's/nstall\.exe/bash-elevated.exe/g' < install.exe > bash-elevated.exe.manifest
  $ sed '1s/bash/bash-elevated/' < ssh-host-config > ssh-host-config-elevated
  $ ssh-host-config-elevated

Sometimes adding a manifest file to an executable doesn't work immediately
due to some cashing in Windows but basically this should work.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]