cygwin 3.0.1-1 breaks my sshd install
Corinna Vinschen
corinna-cygwin@cygwin.com
Thu Feb 21 11:43:00 GMT 2019
On Feb 20 23:43, Corinna Vinschen wrote:
> On Feb 20 23:36, Corinna Vinschen wrote:
> > On Feb 20 22:49, Houder wrote:
> > > On Wed, 20 Feb 2019 21:27:22, Andy Moreton wrote:
> > >
> > > > I've seen a similar failure, on a domain-joined Windows 10 box running
> > > > cygsshd using a local cyg_server user account. I've fixed it by:
> > > > 1) Open the "Computer Management" app
> > > > Select "Services and Applications", then "Services", and
> > > > choose the cygsshd service from the list.
> > > > 2) Stop the service
> > > > 3) Select the "Log On" tab, choose "Local System Account" and click OK.
> > > > 4) Restart the service.
> > > >
> > > > This changed the account reported by "cygrunsrv -VQ" from "./cyg_server"
> > > > to "LocalSystem".
> > >
> > > 64-@@ uname -a
> > > CYGWIN_NT-6.1 Seven 3.0.1(0.338/5/3) 2019-02-20 10:19 x86_64 Cygwin
> > >
> > > First I replaced cygwin1.dll again w/ the last version, as you can see ...
> > >
> > > Then I carried out you instruction ...
> > >
> > > To my surprise it did the trick! Thank you!
> > >
> > > Perhaps Corinna can give a hint of why the modification made the difference.
> >
> > Actually, I can't. I'm surprised, too, because it still runs
> > fine for me under the cyg_server account.
>
> Actually, maybe I can. On second thought there's a quite high
> probability that my AD cyg_server account I'm using for 10 years
> or longer, has not the same privileges as a cyg_server account
> created via ssh-host-config script. May it works for me because
> of these extra permissions the account got during years of playing
> around with it.
>
> I guess I have to crate another, local cyg_server account via
> ssh-host-config and try the same with that account.
>
> Not having much time tomorrow, but at least on Friday I should
> be able to test this.
I managed it today already but I'm somewhat stumped.
I ran ssh-host-config and let the script install a new local account
"test_server" to use for the sshd service. I started the service and
tried to login with a local account and it just worked out of the box.
However, when I tried to logon with a domain account, S4U failed since
the local account didn't have enough permissions or so. The call to
LsaLogonUser failed with STATUS_NOT_SUPPORTED. So with S4U sshd needs
to run under SYSTEM or a privileged domain account to allow domain
accounts to login.
But from my POV S4U is the way to go. I'm still a bit proud that I
managed to figure the "Create user token from scratch" method out back
in 2001, but I think it's really outdated now and should not be used
anymore. I'd hate having to enable it again generally.
Corinna
--
Corinna Vinschen
Cygwin Maintainer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://cygwin.com/pipermail/cygwin/attachments/20190221/97120037/attachment.sig>
More information about the Cygwin
mailing list