X-Recipient:	archive-cygwin AT delorie DOT com
X-Spam-Check-By:	sourceware.org
Date:	Mon, 10 Nov 2008 15:48:15 +0100
From:	Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To:	cygwin AT cygwin DOT com
Subject:	Re: sshd on vista error "initgroups: Permission denied" (cygwin-1.7)
Message-ID:	<20081110144815.GD2884@calimero.vinschen.de>
Reply-To:	cygwin AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
References:	<38971 DOT 1226159091 AT maeder DOT org>
MIME-Version:	1.0
In-Reply-To:	<38971.1226159091@maeder.org>
User-Agent:	Mutt/1.5.16 (2007-06-09)
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Unsubscribe:	<mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com

[Chuck?  This affects csih and tcp_wrappers]

On Nov  8 07:44, Herb Maeder wrote:
> Running sshd (openssh 5.1p1-d57 or 5.1p1-7) on cygwin-1.7 and vista
> results in the following error:
> 
>         % ssh localhost pwd
>         herb AT localhost's password:
>         initgroups: Permission denied
> 
> I think this should be easily reproducible with a fresh installation of
> just cygwin 1.7 base + openssh running on a generic vista confiuration
> with UAC enabled.  
> 
> Can anyone confirm this?  If it is specific to my setup, I'll dig deeper
> and provide more information.

I can't reproduce this.  A permission denied in initgroups point to
insufficient privileges of the account running sshd.  Are you running
sshd with a local cyg_server account but trying to login with a domain
account?  Maybe there's a permission problem.

> For more details on reproducing this see this message (specifically item 7):
> 
>     http://www.cygwin.com/ml/cygwin/2008-10/msg00370.html
> 
> BTW, the following issues in that message also still exist in the 5.1p1-7
> release.  But they can be worked around more easily.

Concerning the above mail,

1. Yes, ssh-host-config has to be run elevated, as with all applications
   requiring actual admin privileges.  There's no way to elevate a child
   process running in the same console window.  Microsoft tweaked the
   ShellExecute() call in shell32.dll heavily to allow the UAC stuff,
   but neglected to allow applications using the CreateProcess() call to
   do the same.  ShellExecute is not an option to use in Cygwin processes.

2. That's fixed.

>   3. "ssh-host-config -y" still prompts for user input
>   4. Missing warning if cyg_server exists in /etc/passwd but not in SAM
>   6. error in setting cyg_server passwd expiry

These are csih issues.  Charles?  Can you have a look into that?

>   5. "ssh localhost pwd" gives 'ssh_exchange_identification' error (only if
>       tcp_wrapper package is installed)

Confirmed.

Have a look into the event viewer.  You'll find a error entry for sshd
along the lines of "/etc/hosts.allow, line x: host name/address mismatch:
127.0.0.1 != yourmachine.domain.toplevel.  This is, AFAIK, a result of
the PARANOID setting in

  ALL : PARANOID : deny

Charles?  This is your package.  Would it make sense to remove the
PARANOID setting from the default file or to turn around the order
of the two default rules?  


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

- Raw text -