This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: group membership problems with ssh PubKey
- From: Tom Schutter <tschutter at firstam dot com>
- To: cygwin at cygwin dot com
- Date: Mon, 19 Apr 2010 17:02:39 -0600
- Subject: Re: group membership problems with ssh PubKey
- References: <20100416201433.GB5284@proxix.com>
On Fri 2010-04-16 15:14, Tom Schutter wrote:
> This is a problem that I am having with all of my 1.7 installations.
>
> If I bring up a local shell and list my group memberships:
>
> lemon:~$ groups
> Domain Users Administrators Users FDSV-DL-FASS FDSV-DL-Proxix FDSV-GG-Bugzilla FDSV-GG-FASS FDSV-GG-Jabber FDSV-GG-Nagios FDSV-GG-PrxAAPCAdmins FDSV-GG-PrxBLD FDSV-GG-PrxPCAdmins FDSV-GG-ShareFASSSharedRW FDSV-GG-ShareFwiseLF FDSV-GG-ShareFwiseRO FDSV-GG-ShareImages3RO FDSV-GG-ShareResourcesLF FDSV-GG-ShareResourcesRO FDSV-GG-TikiDev
>
> Notice that I am a member of the Administrators group. This is because I am a member of the FDSV-GG-PrxBLD group, which has been added to the local Administrators group.
>
> Now if I login via SSH using PubKey authentication and list my group memberships:
>
> lemon:~$ groups
> Domain Users Users FDSV-DL-Proxix FDSV-GG-Bugzilla FDSV-GG-FASS FDSV-GG-Jabber FDSV-GG-Nagios FDSV-GG-PrxAAPCAdmins FDSV-GG-PrxBLD FDSV-GG-PrxPCAdmins FDSV-GG-TikiDev
>
> I am a member of the FDSV-GG-PrxBLD group, but not the local Administrators group.
>
> I am using cyglsa.
>
> I am not using cygserver.
>
> sshd is running as the domain user fdsv-sa-prx-sshdsrvr. These are the user rights for that user:
>
> lemon:~$ editrights -l -u fdsv-sa-prx-sshdsrvr
> SeCreateTokenPrivilege
> SeTcbPrivilege
> SeIncreaseQuotaPrivilege
> SeAssignPrimaryTokenPrivilege
> SeServiceLogonRight
>
> The fdsv-sa-prx-sshdsrvr user is in /etc/passwd:
>
> lemon:~$ grep fdsv-sa-prx-sshdsrvr /etc/passwd
> fdsv-sa-prx-sshdsrvr:unused:18846:10513:Service Account, Prx-SSHDSrvr,U-FLOODDATA\fdsv-sa-prx-sshdsrvr,S-1-5-21-2555220796-769361577-1294736918-8846:/home/fdsv-sa-prx-sshdsrvr:/bin/bash
>
> I have blanked any password stored in the registry by specifying a blank password to "passwd -R".
>
> I have read and I think I understand http://cygwin.com/cygwin-ug-net/ntsec.html
>
> It looks to me like this is an issue of being an "indirect" member of the Administrators group via the domain FDSV-GG-PrxBLD group.
Does anyone have a clue on this one? Larry Hall's response was based upon a misreading of the original email.
--
Tom Schutter
First American Spatial Solutions
303-440-7272 x6822
512-977-6822
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple