This is the mail archive of the
mailing list for the Cygwin project.
sshd: testing whether login was via public key or password?
- From: "Robert Jacobson" <q7zfcru02 at sneakemail dot com>
- To: cygwin at cygwin dot com
- Date: Fri, 29 Jan 2016 11:42:47 -0500
- Subject: sshd: testing whether login was via public key or password?
- Authentication-results: sourceware.org; auth=none
Short version: "schtasks /change" fails because I used SSH public key
auth. I'd like to add error checking to script I run, so that it exits
if the user doesn't have the right session token (password), and "fix"
SSH public key login so I get the right privileges. How best to do that?
I've read the following but not sure I understand it enough to pick the
The full issue:
I'm attempting to remotely change passwords for some Windows scheduled
tasks. After logging in (via SSH public key) I could change the
passwords for tasks for different (non-admin) accounts, but not my own
# After logging in with SSH pub key:
$ id -G | grep -qE '\<(544|0)\>' && echo admin || echo user
$ schtasks /query /TN "\backup_web_users" /v /fo list | grep 'Run As'
Run As User: Administrator
$ schtasks /change /RP newpassword /TN "\backup_web_users"
ERROR: Logon failure: unknown user name or bad password.
### Note: if one tries to do above cmd repeatedly, you might lock
### your account after too many login attempts
# But for a regular user account, it worked OK:
$ schtasks /query /TN "\Cleanup Old" /v /fo list | grep 'Run As'
Run As User: HOSTNAME\nonadminuser
$ schtasks /change /RP newpassword /TN "\Cleanup Old"
SUCCESS: The parameters of scheduled task "\Cleanup Old" have been changed.
I figured out the above "Logon failure" was due to logging in via SSH
public key, reference:
As noted in the reference above, if I login via SSH using my password, I
can successfully change the scheduled task password for Administrator
tasks. Similarly, it works if I save my password using "passwd -R".
We would like to continue to require public key auth because it is more
secure (our public keys are from smartcards, so it's effectively
I've already confirmed that storing the passwd with "passwd -R" works.
I have not tried using cyglsa-config -- would that help? My
understanding is that local access would work but access to network
resources would not. I would think scheduled tasks are local so it
should work but did not want to modify my system yet without some
feedback from cygwin experts :)
Also, is there another way I might obtain the proper privs/session
token, WITHOUT storing the password permanently? I noticed that running
"passwd -R" doesn't help with the CURRENT ssh session; i.e. I would have
to logout and login again.
Finally, the obvious way of checking if the proper privileges are
present is simply trying the "schtasks" command and seeing if it fails
by checking the exit status. I'm just wondering (for academic reasons)
if there's a better way. Perhaps there is some "view my current session
If it matters:
$ uname -a
CYGWIN_NT-6.1-WOW nissan 2.2.1(0.289/5/3) 2015-08-20 11:40 i686 Cygwin
The OS is Server 2008 R2 64-bit.
Problem reports: http://cygwin.com/problems.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple