This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

SSHD public key, group assignment issue on Windows 2008, with work-around


Hi,

I installed Cygwin 1.7.1 on a freshly installed Windows Webserver 2008. I
set up sshd using ssh-host-config -y, and initialized passwd and group using
mkpasswd and mkgroup respectively. I followed
http://cygwin.com/cygwin-ug-net/ntsec.html and executed
/usr/bin/cyglsa-config, followed by a reboot. 

When I then tried to connect via ssh using password authentication,
everything worked fine. Using public key authentication resulted in the
following error message:

/usr/bin/bash.exe: error while loading shared libraries: ?: cannot open
shared object file: No such file or directory

Setting the ssh client to verbose output, it showed up that this happened
after a successful authentication. bash.exe itself works fine, cygcheck
reports no error, but several dependencies on shared libraries, all marked
OK. I copied c:\windows\system32\cmd.exe (which has no dependencies to
shared libraries) to c:\cygwin\bin\cmd.exe , allowed Everyone to access this
file and put it as shell into /etc/passwd. Now the public key login worked,
providing the CMD shell. However, I could not do anything, even "dir"
resulted in Access Denied. I used Process Explorer to compare the security
settings of a password-based cmd.exe instance with a public-key-based
instance. Both instances where assigned to the correct user account.
However, the groups differed significantly. Whereas the password-based
instance showed all the groups assigned to the user account, the
public-key-based instance was missing these and the "NT
Authority\NTML-Authentication" (translated from a German windows), but had
an additional "NT Authority\Service" group. 

Then I modified /etc/passwd and changed the group specification for my
account from None to Users. On the next login, ProcessExplorer showed that
the Users group was also assigned. I could access files, even /bin/bash
worked as login shell with no shared library issues. This allowed me to
create a windows group with all the rights I needed during ssh sessions, so
I can actually use public key authentication.

Nevertheless, this seems strange to me. Since it's working for me now, I
don't require immediate assistance. I just wanted to let you know about
this, and probably help some people encountering the same problem with my
work-around.

Best regards
Malte


Attachment: cygcheck.out
Description: Binary data

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]