This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: ssh login no longer allowed by local accounts other than main administrator account after taking machine off domain

From: "Larry Hall (Cygwin)" <reply-to-list-only-lh at cygwin dot com>
To: cygwin at cygwin dot com
Date: Wed, 07 Aug 2013 00:00:14 -0400
Subject: Re: ssh login no longer allowed by local accounts other than main administrator account after taking machine off domain
References: <CABSJGg3HywZZrXNfQHmivJOH0GrySZSBxA95XyjPmcngF6EHFA at mail dot gmail dot com>
Reply-to: cygwin at cygwin dot com

On 8/6/2013 6:50 PM, Yuki Ishibashi wrote:

(Sorry if this goes to the wrong place, I'm a little unfamiliar to the
cygwin mailing list and its usage)

I wanted to thank Linda and Larry both for their responses to my
original post on Aug 2nd.

Linda: Process Monitor was a helpful suggestion, however there are as
you have said probably far too many system process messages, and even
trying to filter for what I wanted has proved not helpful....

Larry: I did have the new users have ownership of their own /home/user
folders...


What about the files and dot files underneath?  Like I said, I suspect
that scripts that are being run as part of the login are actually the
cause of the "permission denied" message.  You need to look at what those
scripts are and what they are running.  You may find that changing your
shell to '/bin/sh' in your '/etc/passwd' file may help avoid the problem
by skipping some of these init scripts.  A different alternative is to try
adding 'set -x' to '/etc/profile'.  This will spit out every line of
every script run on login, which should help you localize where the
"permission denied" message comes from.

also /bin/bash.exe has 755 access, with user:old_admin group:Domain Users.


Expected but you might as well change the group ownership to 513 (None).
You could also change the user to something that exists on the local
system.  In my case, it's my user since I'm the one that installed
Cygwin in the first place. :-)

The problem looks most similar to what the user marco atzeri posted here:
http://comments.gmane.org/gmane.os.cygwin/134144
, (unfortunately there was no resolution)

Perhaps what might help me is:
a) what are the standard permissions *supposed* to be on everything on
the cygwin terminal-side (i.e. 'ls -l /etc/*', etc),


In general, things will default to be owned by the user that installed
them and group 513 for a local user and 10513 for a domain user.
Permissions are the most critical though.  Those tend to default to
644 or 755, depending in whether the file is meant to be executable
or not.  But there are programs, like sshd, that require specific
ownership and permissions to work properly.  As I mentioned, ssh-host-config
takes care of setting these permissions and ownerships but you may need to
review the settings by hand as I'm not sure if the script will change
ownerships/permissions of all the files it requires from a domain setup
to a local one.

b) what account should the "CYGWIN sshd" service be running as in the
Windows side


Depends what version of Windows you're running (did you say?)  For XP it
defaults to SYSTEM.  On any later O/S, it should be cyg_server.  Again,
ssh-host-config will handle this for you.

c) what group should local users be in (i.e. 'mkpasswd -l' and
'mkgroup 'l') - currently the local users are in group 513 (in mkgroup
-l that's "None"), sounds weird but that's what it was before I took
it off the domain, and it was working earlier.


513/None is fine.  I'm in 513, 545, and 1001.  I don't believe 1001 is
significant.

d) Do i need to re-sync the mkpasswd -l with /etc/passwd and mkgroup
-l with /etc/group ? I had previously appended the newly created local
accounts (with associated SSIDs) to /etc/passwd using something like
"mkpasswd -l | grep newusername >> etc/passwd" (and something similar
for the /etc/group)


That should be enough to add 'newusername'.  I assume you mean
'/etc/passwd' above.  If you care to keep the previous contents
of these files, what you did is fine.  Otherwise, just create new
files:

  mkpasswd -l -c >/etc/passwd
  mkgroup -l -c >/etc/group

I'm running into a brick wall here and not sure how I should approach
this... any general advice even would be appreciated, thanks so much!


If all else fails or you just get tired of fiddling with the tuning
knobs, move your current installation aside, follow the instructions
in this FAQ - <http://cygwin.com/faq.html#faq.setup.uninstall-all>,
reinstall, and reconfigure sshd (run ssh-host-config).  If that doesn't
solve the permission problems, then you may be in the same boat as
Macro (i.e. BLODA).  You'll have to start looking at the possibilities
there.

--
Larry

_____________________________________________________________________

A: Yes.
> Q: Are you sure?
>> A: Because it reverses the logical flow of conversation.
>>> Q: Why is top posting annoying in email?

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

References:
- Re: ssh login no longer allowed by local accounts other than main administrator account after taking machine off domain
  - From: Yuki Ishibashi

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]