This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Difficulty setting up domain SSH daemon under Domain Security Policies

Hi Bryan,

The local security policy is overwritten in all aspects that are confugured
in the Default Domain Policy or any other GPOs that are used against the
same Active Directory objects (Forrests, Sites, Domains, OUs).

You need to create the cyg_server account within Active Directory Users &
Computers and setup Default Domain Policy to push the correct permissions
to that user. You may need to put the account to a security group having
administrative permissions on the local Domain Member machines.

You need to setup /etc/passwd and /etc/groups on the local Domain Member
machines to include the users and groups from your Domain (mkpasswd and
mkgroup used with the according parameters).

You need to call ssh-host-config, e.g. like that: "ssh-host-config -y -c
"tty ntsec" -u "Domain\cyg_server" --privideged".

SSHD should work that way...

Best Regards, Chris

  From:       "Hunter, Bryan" <>                                                                                   
  To:         <>                                                                                                          
  Date:       20.07.2010 23:36                                                                                                             
  Subject:    Difficulty setting up domain SSH daemon under Domain Security Policies                                                       
  Sent by:                                                                                                      

The SSHD service is successfully running under the local cyg_server
userid set up by ssh-host-config.  Pulbic key authentication is working.
It is running on a Windows 2003 Server with Domain Security Policies
being pushed down from the Domain server.  Using the windows GUI, access
to change the local security settings is greyed out.  After replication
or some time passing, the cyg_server settings disappear from the local
security settings.  If running, the sshd service continues to work.  If
there is a need to restart the service, then the following procedure

1    Stop the service
2    Delete the service
3    Delete the cyg_server userid
4    Rerun ssh-host-config
5    Restart the service

I am trying to setup access to the entire domain, and to that end tried
creating a domain userid with various policies to run the service.  When
this userid propagates, it does not appear to propagate the "Create a
token object" policy.  When I run ssh-host-config and specify the new
userid, I get a message that the userid has insufficient permissions.
Indeed, it does not work.  I am not sure which way to look at this, but
can anyone provide some direction?  Here are some points as I see them.

1    The ssh-host-config program doesn't say what permissions are
inadequate.  Is there a specific list of what is needed?
2    Is there a way to force ssh-host-config to create the permissions?
It seems that it will only create permissions when creating a fresh new
3    If the local security policies are indeed being over written and
the create token object doesn't propagate, then it looks like some
additional process is needed to recreate the privileges?

Is there a different way of going about this?  Would it make any sense
to install SSH on the domain controller itself?

Any guidance in this matter would be appreciated.

Best Regards,
Bryan Hunter

[attachment "cygcheck.out" deleted by Christoph Herdeg/Germany/Contr/IBM]
Problem reports:
Unsubscribe info:

Problem reports:
Unsubscribe info:

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]