2 <html lang="en-us" itemscope itemtype="http://schema.org/Article">
5 <meta name="description" content="I don't see how my tinkering with things could have messed up IPSEC. I did mess with the Local Computer Polices and Default Domain Policies attempting to add rights to the local user sons-sc-cc\sshd_server. I'm not sure how this effects...">
6 <meta name="generator" content="Movable Type 5.2.3">
7 <title>More woes with 2003 Server and sshd - Status</title>
8 <link rel="alternate" type="application/atom+xml" title="Recent Entries" href="http://defaria.com/blogs/Status/atom.xml">
9 <link rel="canonical" href="http://defaria.com/blogs/Status/2006/05/more-woes-with.html">
10 <meta name="viewport" content="width=device-width,initial-scale=1">
11 <link rel="stylesheet" href="http://defaria.com/blogs/Status/styles.css">
13 <link rel="stylesheet" href="http://defaria.com/blogs/Status/styles_ie.css">
14 <script src="/mt/mt-static/support/theme_static/rainier/js/html5shiv.js"></script>
17 <link rel="start" href="http://defaria.com/blogs/Status/">
19 <link rel="prev" href="http://defaria.com/blogs/Status/2006/05/sonssccc-cronta.html" title="sons-sc-cc crontab and checking in files">
20 <link rel="next" href="http://defaria.com/blogs/Status/2006/05/osaka-builds-on.html" title="Osaka Builds on Windows">
21 <!-- Open Graph Protocol -->
22 <meta property="og:type" content="article">
23 <meta property="og:locale" content="en-us">
24 <meta property="og:title" content="More woes with 2003 Server and sshd">
25 <meta property="og:url" content="http://defaria.com/blogs/Status/2006/05/more-woes-with.html">
26 <meta property="og:description" content="I don't see how my tinkering with things could have messed up IPSEC. I did mess with the Local Computer Polices and Default Domain Policies attempting to add rights to the local user sons-sc-cc\sshd_server. I'm not sure how this effects...">
27 <meta property="og:site_name" content="Status">
28 <meta property="og:image" content="/mt/mt-static/support/theme_static/rainier/img/siteicon-sample.png">
30 <meta itemprop="description" content="I don't see how my tinkering with things could have messed up IPSEC. I did mess with the Local Computer Polices and Default Domain Policies attempting to add rights to the local user sons-sc-cc\sshd_server. I'm not sure how this effects...">
31 <link itemprop="url" href="http://defaria.com/blogs/Status/2006/05/more-woes-with.html">
32 <link itemprop="image" href="/mt/mt-static/support/theme_static/rainier/img/siteicon-sample.png">
37 <div id="container-inner">
38 <header id="header" role="banner">
39 <div id="header-inner">
40 <div id="header-content">
42 <a href="http://defaria.com/blogs/Status/">
51 <nav role="navigation">
53 <li><a href="http://defaria.com/blogs/Status/">Home</a></li>
62 <div id="content-inner">
63 <ul class="breadcrumb breadcrumb-list">
64 <li class="breadcrumb-list-item"><a href="http://defaria.com/blogs/Status/">Home</a></li>
65 <li class="breadcrumb-list-item">More woes with 2003 Server and sshd</li>
67 <div id="individual-main" class="main" role="main">
68 <article id="entry-1815" class="entry entry-asset asset hentry">
69 <div class="asset-header">
70 <h2 itemprop="name" class="asset-name entry-title">More woes with 2003 Server and sshd</h2>
71 <footer class="asset-meta">
72 <ul class="asset-meta-list">
73 <li class="asset-meta-list-item">Posted on <time datetime="2006-05-22T22:28:33-08:00" itemprop="datePublished">May 22, 2006</time></li>
74 <li class="asset-meta-list-item">by <span class="author entry-author vcard"></span></li>
77 <li class="asset-meta-list-item">in <a itemprop="articleSection" rel="tag" href="http://defaria.com/blogs/Status/salira/">Salira</a></li>
83 <div class="entry-content asset-content" itemprop="articleBody">
84 <p>I don't see how my tinkering with things could have messed up IPSEC. I did mess with the Local Computer Polices and Default Domain Policies attempting to add rights to the local user sons-sc-cc\sshd_server. I'm not sure how this effects IPSEC. This user is used by the sshd and inetd Cygwin services. Since these services need to "switch user" to the user ssh'ing or rsh'ing they need some elevated rights. Prior to 2003 Server the Local System Account (known as SYSTEM in Cygwin) had enough rights to do this. But with 2003 Server Microsoft lessened the rights that the Local System Account has. Cygwin's answer to this is to create a new user ID, sshd_server, and assign it the necessary rights to be able to switch user. Then this user would only be used for Cygwin services. In fact they have a script /bin/ssh-host-config which creates a local sshd_server user for you (as well as sets up the hosts ssh key and adds a service for sshd). However even after running that script ssh was not working.</p>
86 <p>The inetd service, which is the <i>super server</i>, provides services like rsh, telnet, ftp, etc. that also needs to switch user. Similarly with cron. You see the service is running as an executable under some users credentials (normally the SYSTEM user) and needs to become the requesting user. So I was trying to run these services by using the local sshd_server user that ssh-host-config creates and adds the necessary rights to switch user.</p>
88 <p>Since I was having troubles I was removing the locally created sshd_server user and having the ssh-host-config script recreate it. At one time I decided to run mmc and add the Group Policy snap in then go under Local Computer Policy: Computer Configuration: Windows Settings: Local Policies: User Rights Assignment and make that the local sshd_server user had the following rights:</p>
91 <li>Create a token object</li>
93 <li>Logon as a service</li>
95 <li>Replace a process level token</li>
97 <li>Increase Quota</li>
100 <p>One time, when adding the Group Policy Object Editor I decided to click
101 on the Browse button and saw a Default Domain Policy and thought perhaps there was something in there overriding the Local Computer Policy. So I added that and again I made sure that sons-sc-cc\sshd_server had the above rights. I have put a copy of this mmc polices thing under C:\Polcies.msc in case Ron wants to look at it. I notice a number of SIDs in there, probably from my past creations and recreations of sons-sc-cc\sshd_server.</p>
103 <p>As I don't know what Ron did to get sons-sc-cc running again and as I
104 see the local sshd_server as having only deny network login right I don't want to mess with anything. Right now rsh is still broken as inetd cannot switch user since it's using the sshd_server user and that user doesn't have enough rights.</p>
106 <p>Here's an exert from /usr/share/doc/Cygwin/openssh.README:</p>
109 <h3>Important note for Windows 2003 Server users:</h3>
111 <p>2003 Server has a funny new feature. When starting services under SYSTEM account, these services have nearly all user rights which SYSTEM holds... except for the "Create a token object" right, which is needed to allow public key authentication :-(</p>
113 <p>There's no way around this, except for creating a substitute account which has the appropriate privileges. Basically, this account should be member of the administrators group, plus it should have the following user rights:</p>
116 <li>Create a token object</li>
118 <li>Logon as a service</li>
120 <li>Replace a process level token</li>
122 <li>Increase Quota</li>
125 <p>The ssh-host-config script asks you, if it should create such an account, called "sshd_server". If you say "no" here, you're on your own. Please follow the instruction in ssh-host-config exactly if possible. Note that ssh-user-config sets the permissions on 2003 Server machines dependent
126 of whether a sshd_server account exists or not.</p>
130 <nav class="page-navigation entry-navigation pagination content-nav">
131 <ul class="page-navigation-list">
133 <li class="page-navigation-list-item page-navigation-prev"><a rel="prev" href="http://defaria.com/blogs/Status/2006/05/sonssccc-cronta.html" title="sons-sc-cc crontab and checking in files">Previous entry</a></li>
136 <li class="page-navigation-list-item page-navigation-next"><a rel="next" href="http://defaria.com/blogs/Status/2006/05/osaka-builds-on.html" title="Osaka Builds on Windows">Next entry</a></li>
141 <aside id="zenback" class="zenback feedback">
142 Please paste Zenback script code here.
149 <aside class="widgets related" role="complementary">
150 <nav class="widget-search widget">
151 <div class="widget-content">
152 <form method="get" id="search" action="http://defaria.com/mt/mt-search.cgi">
154 <input type="text" name="search" value="" placeholder="Search...">
156 <input type="hidden" name="IncludeBlogs" value="8">
158 <input type="hidden" name="limit" value="20">
159 <button type="submit" name="button">
160 <img alt="Search" src="/mt/mt-static/support/theme_static/rainier/img/search-icon.png">
166 <nav class="widget-archive-category widget">
167 <h3 class="widget-header">Categories</h3>
168 <div class="widget-content">
171 <ul class="widget-list">
174 <li class="widget-list-item"><a href="http://defaria.com/blogs/Status/ameriquest/">Ameriquest (99)</a>
182 <li class="widget-list-item"><a href="http://defaria.com/blogs/Status/audience/">Audience (3)</a>
190 <li class="widget-list-item"><a href="http://defaria.com/blogs/Status/broadcom/">Broadcom (76)</a>
198 <li class="widget-list-item"><a href="http://defaria.com/blogs/Status/gpdb/">GPDB (35)</a>
206 <li class="widget-list-item"><a href="http://defaria.com/blogs/Status/general-dynamics/">General Dynamics (61)</a>
214 <li class="widget-list-item"><a href="http://defaria.com/blogs/Status/general-electric/">General Electric (13)</a>
222 <li class="widget-list-item"><a href="http://defaria.com/blogs/Status/hewlett-packard/">Hewlett Packard (13)</a>
230 <li class="widget-list-item"><a href="http://defaria.com/blogs/Status/lynuxworks/">LynuxWorks (162)</a>
238 <li class="widget-list-item"><a href="http://defaria.com/blogs/Status/pqa/">PQA (35)</a>
246 <li class="widget-list-item"><a href="http://defaria.com/blogs/Status/salira/">Salira (79)</a>
254 <li class="widget-list-item"><a href="http://defaria.com/blogs/Status/tellabs/">Tellabs (2)</a>
262 <li class="widget-list-item"><a href="http://defaria.com/blogs/Status/texas-instruments/">Texas Instruments (31)</a>
274 <nav class="widget-archive-dropdown widget">
275 <h3 class="widget-header">Archives</h3>
276 <div class="widget-content">
278 <option>Select a Month...</option>
280 <option value="http://defaria.com/blogs/Status/2016/02/">February 2016</option>
284 <option value="http://defaria.com/blogs/Status/2014/09/">September 2014</option>
288 <option value="http://defaria.com/blogs/Status/2014/04/">April 2014</option>
292 <option value="http://defaria.com/blogs/Status/2014/03/">March 2014</option>
296 <option value="http://defaria.com/blogs/Status/2013/02/">February 2013</option>
300 <option value="http://defaria.com/blogs/Status/2012/09/">September 2012</option>
304 <option value="http://defaria.com/blogs/Status/2012/08/">August 2012</option>
308 <option value="http://defaria.com/blogs/Status/2012/05/">May 2012</option>
312 <option value="http://defaria.com/blogs/Status/2012/04/">April 2012</option>
316 <option value="http://defaria.com/blogs/Status/2012/02/">February 2012</option>
320 <option value="http://defaria.com/blogs/Status/2012/01/">January 2012</option>
324 <option value="http://defaria.com/blogs/Status/2011/10/">October 2011</option>
328 <option value="http://defaria.com/blogs/Status/2011/07/">July 2011</option>
332 <option value="http://defaria.com/blogs/Status/2010/09/">September 2010</option>
336 <option value="http://defaria.com/blogs/Status/2010/08/">August 2010</option>
340 <option value="http://defaria.com/blogs/Status/2010/04/">April 2010</option>
344 <option value="http://defaria.com/blogs/Status/2010/03/">March 2010</option>
348 <option value="http://defaria.com/blogs/Status/2010/02/">February 2010</option>
352 <option value="http://defaria.com/blogs/Status/2009/05/">May 2009</option>
356 <option value="http://defaria.com/blogs/Status/2009/04/">April 2009</option>
360 <option value="http://defaria.com/blogs/Status/2008/07/">July 2008</option>
364 <option value="http://defaria.com/blogs/Status/2008/05/">May 2008</option>
368 <option value="http://defaria.com/blogs/Status/2008/04/">April 2008</option>
372 <option value="http://defaria.com/blogs/Status/2008/03/">March 2008</option>
376 <option value="http://defaria.com/blogs/Status/2008/02/">February 2008</option>
380 <option value="http://defaria.com/blogs/Status/2008/01/">January 2008</option>
384 <option value="http://defaria.com/blogs/Status/2007/12/">December 2007</option>
388 <option value="http://defaria.com/blogs/Status/2007/11/">November 2007</option>
392 <option value="http://defaria.com/blogs/Status/2007/10/">October 2007</option>
396 <option value="http://defaria.com/blogs/Status/2007/09/">September 2007</option>
400 <option value="http://defaria.com/blogs/Status/2007/08/">August 2007</option>
404 <option value="http://defaria.com/blogs/Status/2007/07/">July 2007</option>
408 <option value="http://defaria.com/blogs/Status/2007/06/">June 2007</option>
412 <option value="http://defaria.com/blogs/Status/2007/05/">May 2007</option>
416 <option value="http://defaria.com/blogs/Status/2007/04/">April 2007</option>
420 <option value="http://defaria.com/blogs/Status/2007/03/">March 2007</option>
424 <option value="http://defaria.com/blogs/Status/2007/01/">January 2007</option>
428 <option value="http://defaria.com/blogs/Status/2006/12/">December 2006</option>
432 <option value="http://defaria.com/blogs/Status/2006/11/">November 2006</option>
436 <option value="http://defaria.com/blogs/Status/2006/10/">October 2006</option>
440 <option value="http://defaria.com/blogs/Status/2006/09/">September 2006</option>
444 <option value="http://defaria.com/blogs/Status/2006/07/">July 2006</option>
448 <option value="http://defaria.com/blogs/Status/2006/06/">June 2006</option>
452 <option value="http://defaria.com/blogs/Status/2006/05/">May 2006</option>
456 <option value="http://defaria.com/blogs/Status/2006/04/">April 2006</option>
460 <option value="http://defaria.com/blogs/Status/2006/03/">March 2006</option>
464 <option value="http://defaria.com/blogs/Status/2006/02/">February 2006</option>
468 <option value="http://defaria.com/blogs/Status/2006/01/">January 2006</option>
472 <option value="http://defaria.com/blogs/Status/2005/12/">December 2005</option>
476 <option value="http://defaria.com/blogs/Status/2005/11/">November 2005</option>
480 <option value="http://defaria.com/blogs/Status/2005/10/">October 2005</option>
484 <option value="http://defaria.com/blogs/Status/2005/09/">September 2005</option>
488 <option value="http://defaria.com/blogs/Status/2005/08/">August 2005</option>
492 <option value="http://defaria.com/blogs/Status/2005/07/">July 2005</option>
496 <option value="http://defaria.com/blogs/Status/2005/06/">June 2005</option>
500 <option value="http://defaria.com/blogs/Status/2005/05/">May 2005</option>
504 <option value="http://defaria.com/blogs/Status/2005/04/">April 2005</option>
508 <option value="http://defaria.com/blogs/Status/2005/03/">March 2005</option>
512 <option value="http://defaria.com/blogs/Status/2005/02/">February 2005</option>
516 <option value="http://defaria.com/blogs/Status/2005/01/">January 2005</option>
520 <option value="http://defaria.com/blogs/Status/2004/12/">December 2004</option>
524 <option value="http://defaria.com/blogs/Status/2004/09/">September 2004</option>
528 <option value="http://defaria.com/blogs/Status/2004/08/">August 2004</option>
532 <option value="http://defaria.com/blogs/Status/2004/07/">July 2004</option>
536 <option value="http://defaria.com/blogs/Status/2004/06/">June 2004</option>
540 <option value="http://defaria.com/blogs/Status/2004/05/">May 2004</option>
544 <option value="http://defaria.com/blogs/Status/2004/04/">April 2004</option>
548 <option value="http://defaria.com/blogs/Status/2004/03/">March 2004</option>
552 <option value="http://defaria.com/blogs/Status/2004/02/">February 2004</option>
556 <option value="http://defaria.com/blogs/Status/2004/01/">January 2004</option>
560 <option value="http://defaria.com/blogs/Status/2003/12/">December 2003</option>
564 <option value="http://defaria.com/blogs/Status/2003/11/">November 2003</option>
572 <div class="widget-syndication widget section">
573 <div class="widget-content">
574 <p><img src="http://defaria.com/mt/mt-static/images/status_icons/feed.gif" alt="Subscribe to feed" width="9" height="9" /> <a href="http://defaria.com/blogs/Status/atom.xml">Subscribe to this blog's feed</a></p>
582 <footer id="footer" role="contentinfo">
583 <div id="footer-inner">
584 <div id="footer-content">
585 <nav role="navigation">
587 <li><a href="http://defaria.com/blogs/Status/">Home</a></li>
593 <p class="license">© Copyright 2016.</p>
594 <p class="poweredby">Powered by <a href="http://www.movabletype.org/">Movable Type</a></p>
600 <script src="http://defaria.com/mt/mt-static/jquery/jquery.min.js"></script>
601 <script src="http://defaria.com/blogs/Status/mt-theme-scale2.js"></script>