This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

RE: Difficulty setting up domain SSH daemon under Domain Security Policies


Thank you Chris for your reply.

>From:       "Hunter, Bryan"


>The SSHD service is successfully running under the local cyg_server
>userid set up by ssh-host-config.  Pulbic key authentication is
working.
>It is running on a Windows 2003 Server with Domain Security Policies
>being pushed down from the Domain server.  Using the windows GUI,
access
>to change the local security settings is greyed out.  After replication
>or some time passing, the cyg_server settings disappear from the local
>security settings.  If running, the sshd service continues to work.  If
>there is a need to restart the service, then the following procedure
>works:

>1    Stop the service
>2    Delete the service
>3    Delete the cyg_server userid
Both Local user and /etc/passwd
>4    Rerun ssh-host-config
>5    Restart the service

>I am trying to setup access to the entire domain, and to that end tried
>creating a domain userid with various policies to run the service.
When
>this userid propagates, it does not appear to propagate the "Create a
>token object" policy.  When I run ssh-host-config and specify the new
>userid, I get a message that the userid has insufficient permissions.
>Indeed, it does not work.  I am not sure which way to look at this, but
>can anyone provide some direction?  Here are some points as I see them.

>1    The ssh-host-config program doesn't say what permissions are
>inadequate.  Is there a specific list of what is needed?
>2    Is there a way to force ssh-host-config to create the permissions?
>It seems that it will only create permissions when creating a fresh new
>setup.
>3    If the local security policies are indeed being over written and
>the create token object doesn't propagate, then it looks like some
>additional process is needed to recreate the privileges?

>Is there a different way of going about this?  Would it make any sense
>to install SSH on the domain controller itself?

>Any guidance in this matter would be appreciated.

>Best Regards,
>Bryan Hunter
>>From: Christoph Herdeg 
>>Hi Bryan,

>>The local security policy is overwritten in all aspects that are
confugured
>>in the Default Domain Policy or any other GPOs that are used against
the
>>same Active Directory objects (Forrests, Sites, Domains, OUs).

>>You need to create the cyg_server account within Active Directory
Users &
>>Computers and setup Default Domain Policy to push the correct
permissions
>>to that user. You may need to put the account to a security group
having
>>administrative permissions on the local Domain Member machines.

I am not sure what you mean by pushing the permissions to the user.  The
user has been given the following policies on the domain controller.
These were seen for a while on the file server except for Create a token
object which was never seen.  The user is also an administrator on the
local machine.

	Create a token object
	Log on as a service
	Replace a process level token

>>You need to setup /etc/passwd and /etc/groups on the local Domain
Member
>>machines to include the users and groups from your Domain (mkpasswd
and
>>mkgroup used with the according parameters).

>>You need to call ssh-host-config, e.g. like that: "ssh-host-config -y
-c
>>"tty ntsec" -u "Domain\cyg_server" --privideged".

Here are the results.
administrator@detfs01 ~
$ ssh-host-config -y -c "tty ntsec" -u "TRADE\sshd_server_domain"
--privileged
*** Query: Overwrite existing /etc/ssh_config file? (yes/no) yes
*** Info: Creating default /etc/ssh_config file
*** Query: Overwrite existing /etc/sshd_config file? (yes/no) yes
*** Info: Creating default /etc/sshd_config file
*** Info: Privilege separation is set to yes by default since OpenSSH
3.3.
*** Info: However, this requires a non-privileged account called 'sshd'.
*** Info: For more info on privilege separation read
/usr/share/doc/openssh/README.privsep.
*** Query: Should privilege separation be used? (yes/no) yes
*** Info: Updating /etc/sshd_config file


*** Warning: The following functions require administrator privileges!

*** Query: Do you want to install sshd as a service?
*** Query: (Say "no" if it is already installed as a service) (yes/no)
yes
*** Query: Enter the value of CYGWIN for the daemon: [tty ntsec] tty
ntsec
*** Info: On Windows Server 2003, Windows Vista, and above, the
*** Info: SYSTEM account cannot setuid to other users -- a capability
*** Info: sshd requires.  You need to have or to create a privileged
*** Info: account.  This script will help you do so.

*** Info: You appear to be running Windows 2003 Server or later.  On
2003
*** Info: and later systems, it's not possible to use the LocalSystem
*** Info: account for services that can change the user id without an
*** Info: explicit password (such as passwordless logins [e.g. public
key
*** Info: authentication] via sshd).

*** Info: If you want to enable that functionality, it's required to
create
*** Info: a new account with special privileges (unless a similar
account
*** Info: already exists). This account is then used to run these
special
*** Info: servers.

*** Info: Note that creating a new user requires that the current
account
*** Info: have Administrator privileges itself.

*** Info: This script plans to use 'TRADE\sshd_server_domain'.
*** Info: 'TRADE\sshd_server_domain' will only be used by registered
services.
*** Query: Create new privileged user account
'TRADE\sshd_server_domain'? (yes/no) yes
*** Info: Please enter a password for new user TRADE\sshd_server_domain.
Please be sure
*** Info: that this password matches the password rules given on your
system.
*** Info: Entering no password will exit the configuration.
*** Query: Please enter the password:
*** Query: Reenter:

*** Warning: Creating the user 'TRADE\sshd_server_domain' failed!
Reason:
The syntax of this command is:


NET USER
[username [password | *] [options]] [/DOMAIN]
         username {password | *} /ADD [options] [/DOMAIN]
         username [/DELETE] [/DOMAIN]


*** Info: Please enter a password for new user TRADE\sshd_server_domain.
Please be sure
*** Info: that this password matches the password rules given on your
system.
*** Info: Entering no password will exit the configuration.
*** Query: Please enter the password:
*** Query: Please enter the password:
*** Query: Please enter the password:
*** Query: Please enter the password:
*** Query: Please enter the password:

There are at least 2 issues here: 1) the syntax failure, and 2) the
program fails to exit when entering no password.

>>SSHD should work that way...

>>Best Regards, Chris



I looked into the ssh-host-config program which is a Red Hat bash script
and found the unusual arrangement whereby it runs differently when used
interactively.  Specifically, if specifying all yes or no answers, the
script sets a force mode option apparently used by the CSIH routines
which is not available when running interactively.  Therefore I tried
the following command to see if it would rebuild the
permissions/policies for the local user cyg_server once they had been
wiped out by the domain policies.

ssh-host-config -y -c "tty ntsec" -u "cyg_server" --privileged

Unfortunately, it still did not rebuild a working environment - public
key access fails.


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]