This is the mail archive of the mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: SSHD, Cygwin and Windows 2003 : continued with user rights

Hi All...

Quite a while ago (12 to 18 months?) before Cygwin OpenSSH could impersonate a user, there was some experimental activity in OpenSSH to allow multiple authentication methods. There was a patch to add this on the OpenSSH archives.

I experimented with this to require public key followed by password authentication. This got me the security of a public key authentication and also got me a password to change user ID. When Cygwin added the impersonate user ability, I dropped this activity.


From: Olivier ALLART <>
To: Cygwin List <>
Subject: Re: SSHD, Cygwin and Windows 2003 : continued with user rights
Date: Thu, 18 Sep 2003 01:22:48 +0200

Larry Hall wrote:

Hm, I thought I was clear.  Let me try again addressing iisreset

iisreset doesn't work in the scenario you described because it's a Microsoft tool which knows nothing of the Cygwin environment. Cygwin's ssh using pubkey authentication doesn't authenticate the user with Windows. So if
you need certain credentials to perform some operation in Windows, pubkey
authentication won't provide them.

Ok. I tought ssh offered some mechanism trough cygwin to authenticate as if under windows ..
That means the 'administrator' account via ssh pubkey is not 'administrator' then ..

If you need to run iisreset through ssh,
you will need to use password authentication, which takes the password for the user 'administrator' and authenticates for Windows with it. You should
then be able to use iisreset (if authentication is really the only thing
getting in the way with pubkey).

yes it is, since it is working with ssh connection (using password on login) when sshd runs under 'local system'

I don't know what are the "*some commands*" you're speaking of, but if they are Cygwin utilities, then I think the answer is obvious. If they are not Cygwin utilities, then I would have to say that they don't require special privileges to run. This is actually true for most utilities. But if this is still confusing for you, you'll have to provide specifics. However, I think you'll find that it's likely that anything that works for you in ssh using pubkey authentication falls into one of the two groups of utilities I mentioned.

and you are probably right.
other commands are for example 'wlbs' (or nlb).
My problem is : I want to execute some remote (but encrypted) commands using both wlbs and iisreset.
wlbs works fine from remote, but so is not for IISreset.
I thought authentication using ssh and public key would allow me to perform the iisreset command..
But from what you explained; it is clear that whatever user logs in with pubkey, it won't be considered as 'administrator'
It looks like iisreset can only be performed *locally* by *local administrator*, which is dumb in the situation where you are from remote. Only other remote control would be 'telnet' but hey, ms telnet can't pertform remote commands.

Last question; if I provided a pubkey in the 'administrator' (cygwin) environment, who am I for windows ?

Thank you very much.
Next I guess I'll go look for some tip on how to unlock iisreset so it can be used by whatever admin and not just local ..



At 02:56 PM 9/17/2003, Olivier ALLART you wrote:

Thank you for the details, but then, why *some commands* work and not others ?
And more specifically, how can I make *this command* work ?

Larry Hall wrote:

I think you missed the fact that pubkey authentication does impersonation,
not Windows-style authentication. So Windows apps won't recognize the pubkey
authentication as providing permissions to run restricted programs. You'll
have to use password authentication if you want Windows to recognize the
user you've become via ssh. You can find all sorts of discussion on the difference between pubkey and password authentication for ssh in the email archives if you're interested.

At 12:40 PM 9/17/2003, Olivier ALLART you wrote:

Following Mark J de Jong 's step by step howto (see end of mail for some add-ons), I can now effectively log in with pkey method (that is, no password) using the 'administrator' user name.
'whoami' returns 'administrator', however asking for a command such as IISRESET returns the error 'you are not a local administrator of this machine...', which means the rights management has failed somewhere.

Larry Hall                    
RFK Partners, Inc.                      (508) 893-9779 - RFK Office
838 Washington Street                   (508) 893-9889 - FAX
Holliston, MA 01746


-- Unsubscribe info: Problem reports: Documentation: FAQ:

Unsubscribe info:
Problem reports:


-- Unsubscribe info: Problem reports: Documentation: FAQ:

Get a FREE computer virus scan online from McAfee.

-- Unsubscribe info: Problem reports: Documentation: FAQ:

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]