This is the mail archive of the
mailing list for the Cygwin project.
Re: ssh password-less cmds to Windows 2003 don't return any output
On Jun 21 08:29, Andrew DeFaria wrote:
> The change is necessary since W2K3 tightened up security and permissions
> on the Local System Account such that sshd would not be able to switch
> user if it used that account. Instead it offers to create a new account
> called sshd_server and bestow on it the required rights to switch user.
> (I've been wondering why not bestow those rights directly to the Local
> System Account? I mean it had them before... Obviously a security
> decision, probably a wise one).
You'll be surprised, but on 2K3 the SYSTEM account still has all the
rights it has on previous systems.
The sad fact on 2K3 is that the SYSTEM account gets revoked the
SeCreateTokenName privilege *unconditionally* as soon as a service is
running under that account. Unfortunately this is the privilege
necessary to allow password-less logins.
Whatever you do to the SYSTEM account, you'll not have the
SeCreateTokenName privilege in any service started under this account.
This is a Microsoft design decision to raise security. Alas, the cygwin
mailing list is not the right place to discuss sense or nonsense of this
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html