Friday, December 1, 2017

More woes with 2003 Server and sshd

Posted on 
I don't see how my tinkering with things could have messed up IPSEC. I did mess with the Local Computer Polices and Default Domain Policies attempting to add rights to the local user sons-sc-cc\sshd_server. I'm not sure how this effects IPSEC. This user is used by the sshd and inetd Cygwin services. Since these services need to "switch user" to the user ssh'ing or rsh'ing they need some elevated rights. Prior to 2003 Server the Local System Account (known as SYSTEM in Cygwin) had enough rights to do this. But with 2003 Server Microsoft lessened the rights that the Local System Account has. Cygwin's answer to this is to create a new user ID, sshd_server, and assign it the necessary rights to be able to switch user. Then this user would only be used for Cygwin services. In fact they have a script /bin/ssh-host-config which creates a local sshd_server user for you (as well as sets up the hosts ssh key and adds a service for sshd). However even after running that script ssh was not working.

The inetd service, which is the super server, provides services like rsh, telnet, ftp, etc. that also needs to switch user. Similarly with cron. You see the service is running as an executable under some users credentials (normally the SYSTEM user) and needs to become the requesting user. So I was trying to run these services by using the local sshd_server user that ssh-host-config creates and adds the necessary rights to switch user.

Since I was having troubles I was removing the locally created sshd_server user and having the ssh-host-config script recreate it. At one time I decided to run mmc and add the Group Policy snap in then go under Local Computer Policy: Computer Configuration: Windows Settings: Local Policies: User Rights Assignment and make that the local sshd_server user had the following rights:
  1. Create a token object
  2. Logon as a service
  3. Replace a process level token
  4. Increase Quota
One time, when adding the Group Policy Object Editor I decided to click on the Browse button and saw a Default Domain Policy and thought perhaps there was something in there overriding the Local Computer Policy. So I added that and again I made sure that sons-sc-cc\sshd_server had the above rights. I have put a copy of this mmc polices thing under C:\Polcies.msc in case Ron wants to look at it. I notice a number of SIDs in there, probably from my past creations and recreations of sons-sc-cc\sshd_server.

As I don't know what Ron did to get sons-sc-cc running again and as I see the local sshd_server as having only deny network login right I don't want to mess with anything. Right now rsh is still broken as inetd cannot switch user since it's using the sshd_server user and that user doesn't have enough rights.

Here's an exert from /usr/share/doc/Cygwin/openssh.README:

Important note for Windows 2003 Server users:

2003 Server has a funny new feature. When starting services under SYSTEM account, these services have nearly all user rights which SYSTEM holds... except for the "Create a token object" right, which is needed to allow public key authentication :-( 
There's no way around this, except for creating a substitute account which has the appropriate privileges. Basically, this account should be member of the administrators group, plus it should have the following user rights:
  1. Create a token object
  2. Logon as a service
  3. Replace a process level token
  4. Increase Quota
The ssh-host-config script asks you, if it should create such an account, called "sshd_server". If you say "no" here, you're on your own. Please follow the instruction in ssh-host-config exactly if possible. Note that ssh-user-config sets the permissions on 2003 Server machines dependent of whether a sshd_server account exists or not.

No comments:

Post a Comment

Posted on  November 23, 2005 Continued to help several users with connecting to the new Controller Clearquest Database for Vinh...