This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Problem with SSH log on through passwordless public key using the LSA security method on a Windows Server 2008 Standard machine


Hi,

I'm having problems logging in to a Windows Server 2008 Standard
machine using a password-less public key and I feel that I'm getting
nowhere closer to solving it. Despite my attempts the log in always
results in asking for my account password. Logging in using a password
works well, but I really need to log in using my public.

What I've done is:
  1. Turing DEP off by: bcdedit.exe /set {current} nx AlwaysOff
  2. Installing Cygwin
  3. Execute /usr/bin/cyglsa-config to use "Switching the user context
without password, Method 2: LSA authentication package" from
http://cygwin.com/cygwin-ug-net/ntsec.html followed by a computer
restart
  4. Added the row "CYGWIN=binmode tty ntsec" (without ") to
c:\cygwin\Cygwin.bat
  5. Execute "ssh-host-config" choosing the defaults, I wrote "binmode
tty ntsec" when asked for the CYGWIN contents

After that, the system has been restarted numerous times. I also have
"Cron deamon" running, under a domain account. But I don't think it
affects the issue. I'm able to log in using a password, but not using
a public key. Also the su command doesn't work, it asks me for a
password when issuing it and always respons with "su: /bin/bash:
Permission denied", that one might be related?

Below are some output which might make it easier to know what's wrong
divided into ** headlines **.

Thank you for reading! I hope someone has a tip or two. Any help is
greatly appreciated! :-)

Best regards,
Kent Larsson

** bcdedit.exe **

C:\Users\netdevel>bcdedit.exe

Windows Boot Manager
--------------------
identifier              {bootmgr}
device                  partition=C:
description             Windows Boot Manager
locale                  en-US
inherit                 {globalsettings}
default                 {current}
displayorder            {current}
toolsdisplayorder       {memdiag}
timeout                 30
resume                  No

Windows Boot Loader
-------------------
identifier              {current}
device                  partition=C:
path                    \Windows\system32\winload.exe
description             Microsoft Windows Server 2008
locale                  en-US
inherit                 {bootloadersettings}
osdevice                partition=C:
systemroot              \Windows
resumeobject            {13f36e53-1fe7-11df-8fce-99bbadfdd430}
nx                      AlwaysOff

** The ssh-host-config script and some thoughts **

/usr/share/doc/Cygwin/openssh.README says:
1. The user which runs the "CYGWIN sshd"-service should have the rights:
  a. "Create a token object"
  b. "Logon as a service"
  c. "Replace a process level token"
  d. "Increase Quota"
2. The "ssh-host-config" script asks you, if it should create such an
account, called "sshd_server" with the correct (above) rights.
3. Note that ssh-user-config sets the permissions on 2003 Server
machines dependent of whether a sshd_server account exists or not.

I don't understand [3] above and [2] doesn't seem to be quite right
any more? As far as I can tell, when I ran the script and an account
named "cyg_server" was created. The "CYGWIN sshd"-service is running
under the created account.

By logging on to the server and "Start / Administrative Tools / Local
Security Policy / Local Policies / User Rights Assignment" I'm able to
verify that the "cyg_server" which runs the "CYGWIN sshd"-service has
the 1a,1b,1c rights. But the 1d (Increase Quota) can not be found
under "User Rights Assignment". The two who start with "Increase" are
"Increase a process working set" and "Increase scheduling priority".
Neither of which the "cyg_server" account is assigned.

What's different from the README above is the account name, and maybe
the lack of "Increase Quota" (I have no idea where I should be able to
find it if not where I looked, and if it really is necessary).

** Cygwin version **

$ uname -a
CYGWIN_NT-6.0 kentl 1.7.1(0.218/5/3) 2009-12-07 11:48 i686 Cygwin

** Installed Cygwin packages **

$ cygcheck -c
Cygwin Package Information
Package              Version             Status
_update-info-dir     00871-1             OK
alternatives         1.3.30c-10          OK
arj                  3.10.22-1           OK
aspell               0.60.5-1            OK
aspell-en            6.0.0-1             OK
aspell-sv            0.50.2-2            OK
autossh              1.4b-1              OK
base-cygwin          2.1-1               OK
base-files           3.9-3               OK
base-passwd          3.1-1               OK
bash                 3.2.49-23           OK
bash-completion      1.1-2               OK
bc                   1.06-2              OK
bzip2                1.0.5-10            OK
cabextract           1.1-1               OK
compface             1.5.2-1             OK
coreutils            7.0-2               OK
cron                 4.1-59              OK
crypt                1.1-1               OK
csih                 0.9.1-1             OK
curl                 7.19.6-1            OK
cvs                  1.12.13-10          OK
cvsutils             0.2.5-1             OK
cygrunsrv            1.34-1              OK
cygutils             1.4.2-1             OK
cygwin               1.7.1-1             OK
cygwin-doc           1.5-1               OK
cygwin-x-doc         1.1.0-1             OK
dash                 0.5.5.1-2           OK
diffutils            2.8.7-2             OK
doxygen              1.6.1-2             OK
e2fsprogs            1.35-3              OK
editrights           1.01-2              OK
emacs                23.1-10             OK
emacs-X11            23.1-10             OK
file                 5.04-1              OK
findutils            4.5.5-1             OK
flip                 1.19-1              OK
font-adobe-dpi75     1.0.1-1             OK
font-alias           1.0.2-1             OK
font-encodings       1.0.3-1             OK
font-misc-misc       1.1.0-1             OK
fontconfig           2.8.0-1             OK
gamin                0.1.10-10           OK
gawk                 3.1.7-1             OK
gettext              0.17-11             OK
gnome-icon-theme     2.28.0-1            OK
grep                 2.5.4-2             OK
groff                1.19.2-2            OK
gvim                 7.2.264-1           OK
gzip                 1.3.12-2            OK
hicolor-icon-theme   0.11-1              OK
inetutils            1.5-6               OK
ipc-utils            1.0-1               OK
keychain             2.6.8-1             OK
less                 429-1               OK
libaspell15          0.60.5-1            OK
libatk1.0_0          1.28.0-1            OK
libaudio2            1.9.2-1             OK
libbz2_1             1.0.5-10            OK
libcairo2            1.8.8-1             OK
libcurl4             7.19.6-1            OK
libdb4.2             4.2.52.5-2          OK
libdb4.5             4.5.20.2-2          OK
libexpat1            2.0.1-1             OK
libfam0              0.1.10-10           OK
libfontconfig1       2.8.0-1             OK
libfontenc1          1.0.5-1             OK
libfreetype6         2.3.12-1            OK
libgcc1              4.3.4-3             OK
libgdbm4             1.8.3-20            OK
libgdk_pixbuf2.0_0   2.18.6-1            OK
libgif4              4.1.6-10            OK
libGL1               7.6.1-1             OK
libglib2.0_0         2.22.4-2            OK
libglitz1            0.5.6-10            OK
libgmp3              4.3.1-3             OK
libgtk2.0_0          2.18.6-1            OK
libICE6              1.0.6-1             OK
libiconv2            1.13.1-1            OK
libidn11             1.16-1              OK
libintl3             0.14.5-1            OK
libintl8             0.17-11             OK
libjasper1           1.900.1-1           OK
libjbig2             2.0-11              OK
libjpeg62            6b-21               OK
libjpeg7             7-10                OK
liblzma1             4.999.9beta-10      OK
libncurses10         5.7-18              OK
libncurses8          5.5-10              OK
libncurses9          5.7-16              OK
libopenldap2_3_0     2.3.43-1            OK
libpango1.0_0        1.26.2-1            OK
libpcre0             8.00-1              OK
libpixman1_0         0.16.6-1            OK
libpng12             1.2.35-10           OK
libpopt0             1.6.4-4             OK
libpq5               8.2.11-1            OK
libreadline6         5.2.14-12           OK
libreadline7         6.0.3-2             OK
libsasl2             2.1.19-3            OK
libSM6               1.1.1-1             OK
libssh2_1            1.2.2-1             OK
libssp0              4.3.4-3             OK
libstdc++6           4.3.4-3             OK
libtiff5             3.9.2-1             OK
libwrap0             7.6-20              OK
libX11_6             1.3.3-1             OK
libXau6              1.0.5-1             OK
libXaw3d7            1.5D-8              OK
libXaw7              1.0.7-1             OK
libxcb-render-util0  0.3.6-1             OK
libxcb-render0       1.5-1               OK
libxcb1              1.5-1               OK
libXcomposite1       0.4.1-1             OK
libXcursor1          1.1.10-1            OK
libXdamage1          1.1.2-1             OK
libXdmcp6            1.0.3-1             OK
libXext6             1.1.1-1             OK
libXfixes3           4.0.4-1             OK
libXft2              2.1.14-1            OK
libXi6               1.3-1               OK
libXinerama1         1.1-1               OK
libxkbfile1          1.0.6-1             OK
libxml2              2.7.6-1             OK
libXmu6              1.0.5-1             OK
libXmuu1             1.0.5-1             OK
libXpm4              3.5.8-1             OK
libXrandr2           1.3.0-10            OK
libXrender1          0.9.5-1             OK
libXt6               1.0.7-1             OK
links                1.00pre20-1         OK
login                1.10-10             OK
luit                 1.0.5-1             OK
lynx                 2.8.5-4             OK
man                  1.6e-1              OK
minires              1.02-1              OK
mkfontdir            1.0.5-1             OK
mkfontscale          1.0.7-1             OK
openssh              5.4p1-1             OK
openssl              0.9.8m-1            OK
patch                2.5.8-9             OK
patchutils           0.3.1-1             OK
perl                 5.10.1-3            OK
rebase               3.0.1-1             OK
run                  1.1.12-11           OK
screen               4.0.3-5             OK
sed                  4.1.5-2             OK
shared-mime-info     0.70-1              OK
tar                  1.22.90-1           OK
terminfo             5.7_20091114-13     OK
terminfo0            5.5_20061104-11     OK
texinfo              4.13-3              OK
tidy                 041206-1            OK
time                 1.7-2               OK
tzcode               2009k-1             OK
unzip                6.0-10              OK
util-linux           2.14.1-1            OK
vim                  7.2.264-2           OK
wget                 1.11.4-4            OK
which                2.20-2              OK
wput                 0.6.1-2             OK
xauth                1.0.4-1             OK
xclipboard           1.1.0-1             OK
xcursor-themes       1.0.2-1             OK
xemacs               21.4.22-1           OK
xemacs-emacs-common  21.4.22-1           OK
xemacs-sumo          2007-04-27-1        OK
xemacs-tags          21.4.22-1           OK
xeyes                1.1.0-1             OK
xinit                1.2.1-1             OK
xinput               1.5.0-1             OK
xkbcomp              1.1.1-1             OK
xkeyboard-config     1.8-1               OK
xkill                1.0.2-1             OK
xmodmap              1.0.4-1             OK
xorg-docs            1.5-1               OK
xorg-server          1.7.6-2             OK
xrdb                 1.0.6-1             OK
xset                 1.1.0-1             OK
xterm                255-1               OK
xz                   4.999.9beta-10      OK
zip                  3.0-11              OK
zlib                 1.2.3-10            OK
zlib-devel           1.2.3-10            OK
zlib0                1.2.3-10            OK

** sshd_config **

$ cat /etc/sshd_config | sed -e 's/^[ \t]\+//g' | egrep -v '^#|^[
\t]*$' # Show all lines of importance (not a comment, nor blank)
Port 22
Protocol 2
StrictModes no
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile	.ssh/authorized_keys
AllowAgentForwarding yes
AllowTcpForwarding yes
GatewayPorts yes
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost no
TCPKeepAlive yes
UsePrivilegeSeparation yes
Subsystem	sftp	/usr/sbin/sftp-server

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]