I am having problems setting up sshd to run under a domain sshd_server account instead of a local sshd_server account.
Why do I want to do that? Because in the default install, starting a cygwin shell from the console gives me a much different environment and permissions than if I start a cygwin shell via ssh. For example, from a console shell on the Windows 2003 Server: $ echo $USER tschutter $ echo $USERNAME tschutter $ echo $HOSTNAME fdsvbld01sgrape $ echo $USERDOMAIN FLOODDATA $ id uid=18718(tschutter) gid=10513(Domain Users) groups=544(Administrators),545(Users),10513(Domain Users),18169(FDSV-GG-PrxBLD),22611(FDSV-GG-PrxPCAdmins) $ ls //other/f$ Data RECYCLER System\ Volume\ Information But when I login via ssh: $ echo $USER tschutter $ echo $USERNAME sshd_server $ echo $HOSTNAME fdsvbld01sgrape $ echo $USERDOMAIN FDSVBLD01SGRAPE $ id uid=18718(tschutter) gid=10513(Domain Users) groups=545(Users),10513(Domain Users) $ ls //other/f$ ls: cannot access //other/f$: Permission denied The sshd server was setup using "ssh-host-config --yes". So it appears that when I login via ssh, I am logged in as a local user, not a domain user. Also, when logged in via ssh, I am not in the Administrators, FDSV-GG-PrxBLD, and FDSV-GG-PrxPCAdmins groups. As a side note, I would think that USERNAME being set to sshd_server is a bug. It appears that the solution is to create a domain sshd_server account and run sshd as that user. So I created a domain account called "fdsv-sa-prx-sshdsrvr". I gave this account the required rights: $ editrights -a SeCreateTokenPrivilege -u fdsv-sa-prx-sshdsrvr $ editrights -a SeTcbPrivilege -u fdsv-sa-prx-sshdsrvr $ editrights -a SeDenyInteractiveLogonRight -u fdsv-sa-prx-sshdsrvr $ editrights -a SeDenyNetworkLogonRight -u fdsv-sa-prx-sshdsrvr $ editrights -a SeDenyRemoteInteractiveLogonRight -u fdsv-sa-prx-sshdsrvr $ editrights -a SeIncreaseQuotaPrivilege -u fdsv-sa-prx-sshdsrvr $ editrights -a SeServiceLogonRight -u fdsv-sa-prx-sshdsrvr I added fdsv-sa-prx-sshdsrvr to local "Administrators" group. I changed the ownership of the /etc/ssh files and /var/empty: $ chown fdsv-sa-prx-sshdsrvr /etc/ssh* /var/empty I changed the log on account for the "CYGWIN sshd" service to the fdsv-sa-prx-sshdsrvr account. I then tried to start the service: $ net start sshd The CYGWIN sshd service is starting. The CYGWIN sshd service could not be started. The service did not report an error. More help is available by typing NET HELPMSG 3534. The application event log has this error message: The description for Event ID ( 0 ) in Source ( sshd ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: sshd: PID 2068: service `sshd' failed: signal 11 raised. I have attached the output from "cygcheck -s -v -r" as grape-cygcheck.out. So where do I go from here? What am I missing? -- Tom Schutter First American - Proxix Solutions (512) 977-6822
grape-cygcheck.out
Description: grape-cygcheck.out
-- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/