SSHD under SYSTEM account (was: Re: cygwin & opensshd on .net enterprise server)

Larry Hall (RFK Partners, Inc) lhall@rfk.com
Thu May 16 11:42:00 GMT 2002


At 01:11 PM 5/16/2002, Gerrit P. Haase wrote:
>Inc) schrieb:
>
> >>I did copy him on the original note so he would be aware of the issue,
> >>but at this point I have completely removed his version (including
> >>deleting registry keys) and installed the cygwin environment. It appears
> >>that all of cygwin works when run in a system owned command window, but
> >>nothing works from an administrator account.
>
> > Can you please acknowledge whether or not you read openssh*.README so that
> > we know whether you've missed the obvious user rights settings necessary for
> > the administrator account?
>
>I read it and still have similar problems and there is this:


I'm glad you read it Gerrit and would've expected as much from you.  I was
enquiring this specifically of Tony, since it's not clear what he's tried 
and how much he has researched the issue.


>   "The system account does of course own that user rights by default."
>
>That means SYSTEM is ok and it is the default if I let the
>ssh-host-config do the service setup.  So I expect no problems here.
>More:
>
>   Unfortunately, if you choose that way, you can only logon with
>   NT password authentification and you should change
>   /etc/sshd_config to contain the following:
>
>     PasswordAuthentication yes
>     RhostsAuthentication no
>     RhostsRSAAuthentication no
>     RSAAuthentication no
>
>
>Wow this is like a hammer.  That means I cannot use PublicKey
>Authentication?  If I cannot use public key authentication, the whole
>benefit (besides transfering passwords encrypted) is futsch...
>
>If I let them try to guess my password several days there will be at
>least one intruder every month...
>
>Is this true that PublicKey auth isn't working? (I cannot believe it).


I think you missed the next statement in the file:

   However you can login to the user which has started sshd with
   RSA authentication anyway. If you want that, change the RSA
   authentication setting back to "yes":

     RSAAuthentication yes

But if that user is SYSTEM, then this is little consolation.  I can't speak
to any specifics but I can say that I agree with your interpretation of the 
prose, minus the one caveat above.  Perhaps you'll want to try playing with
this and debugging it to see if there's a solution for it that meets your 
needs.




Larry Hall                              lhall@rfk.com
RFK Partners, Inc.                      http://www.rfk.com
838 Washington Street                   (508) 893-9779 - RFK Office
Holliston, MA 01746                     (508) 893-9889 - FAX


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/



More information about the Cygwin mailing list