session user ID error when ssh in terms of public-key exchange

Larry Hall (Cygwin) reply-to-list-only-lh@cygwin.com
Sun Oct 14 23:00:00 GMT 2007


Chen Yue wrote:
> Greetings
> 
> I am a new bee in cygwin. Now I am about to setup an sshd environment on a
> windows2003 server in a project. But there is a weird phenomenon blocking my
> task.
> 
> I setup a local account named sshd_server in administrators group, grant
> “Create a token object”, “Log on as a service” and “replace a process level
> token” to sshd_server in Local Security Settings. The service sshd is
> started by ID of sshd_server.
> Two users: userA and userB are domain users who are supposed to be able to
> log on the server in terms of ssh. I have set up their profiles in
> /etc/passwd and /etc/group. In the purpose of convenience, they copy their
> public-key to their home dir so that they need not to input passwd when
> logon.
> 
> All above work OK for me.
> 
> My issue is when the two users log on in term of inputting passwd, they can
> create files in a shared dir and the file owner is correct. ‘net session’
> command shows the correct user ID of the session. However, when they log on
> in terms of public-key exchanging, the files they created in shared dir are
> owned by “sshd_server”!!  (The files created locally are correct though).
> And the “net session” command shows it is sshd_server but not userA or userB
> that have logged on the server.
> 
> I am so puzzled what’s the difference between the two ways to log on. Did
> anyone encounter this ever before?


This is a known issue that has been talked about at great length in the
email archives.  It is a limitation of Windows and won't be remedied in
the Cygwin 1.5.x series.  The difference is that when you log in with your
password, you are authenticated through Windows.  So Windows knows who you
are.  With pubkey authentication, you're not.  So Windows thinks you're
the user that runs the 'sshd' service.


-- 
Larry Hall                              http://www.rfk.com
RFK Partners, Inc.                      (508) 893-9779 - RFK Office
216 Dalton Rd.                          (508) 893-9889 - FAX
Holliston, MA 01746

_____________________________________________________________________

A: Yes.
 > Q: Are you sure?
 >> A: Because it reverses the logical flow of conversation.
 >>> Q: Why is top posting annoying in email?

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/



More information about the Cygwin mailing list