Corinna Vinschen wrote: >> I was seeing errors in the system event log, but unfortunately I'm not >> very experienced with Windows security, so I wasn't understanding what I >> was seeing. > > When you set up a server it makes a lot of sense trying to understand > Windows security. Besides of books, I would suggest to have a look > into the MSDN library. For instance, a description of the privileges > is given here: http://msdn2.microsoft.com/en-us/library/bb530716.aspx
Thanks for the pointer. I'm much more familiar with Linux/UNIX security than I am with Windows security, so the more I can learn the better. >> As it turns out, all my problems were caused by the fact that the >> sshd_server user being created by the ssh-host-config script was not >> being given all the required privileges. > > This is weird. The ssh-host-config script usually makes sure that > the sshd_server user got all required privileges. See the script > at line 517ff. I'm not at work right now, and unfortunately I can't access the gmane news server from work, but I'll check out the script. I agree it's weird; perhaps it's due to either the 64-bitness of the OS, or the fact that the OS is (as far as I know) based on the server version of Windows XP .... >> I'm not sure why, but I found >> an online description of the rights required by sshd_server and used the >> "editrights" utility to grant them. > > You really wouldn't have needed an online description. The script > contains all of them ;) Yep, I should have looked at the script, but I was trying to find possible fixes using Google searches and happened across a website that listed them, so I used that. If I get the chance, I'll delete the sshd_server user from that system and re-run the ssh-host-config script to see what privileges it assigns to sshd_server. >> In case the information helps anyone else, here is a list of the >> privileges that the sshd_server user appears to need: >> >> SeIncreaseQuotaPrivilege >> SeTcbPrivilege >> SeAssignPrimaryTokenPrivilege >> SeCreateTokenPrivilege >> SeServiceLogonRight >> SeDenyInteractiveLogonRight >> SeDenyNetworkLogonRight >> SeDenyRemoteInteractiveLogonRight >> >> To determine which privileges sshd_server has on your system, use this >> command: >> >> editrights -u sshd_server -l >> >> And here are the commands necessary to grant the above privileges to >> sshd_server: >> [...] > > As I said, see /bin/ssh-host-config, lines 517ff. The Deny-"rights" are > obviously not necessary. They are just used to secure the account > against malusage. That makes sense. Thanks again for taking the time to read and respond. -B -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
