X-Spam-Check-By: sourceware.org
Date: Wed, 21 Jun 2006 17:49:58 +0200
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: ssh password-less cmds to Windows 2003 don't return any output
Message-ID: <20060621154958.GM29251@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <ab50889f0606210407o5cec13c3ha9c0b6a496b99ebd AT mail DOT gmail DOT com> <e7bok7$t4$1 AT sea DOT gmane DOT org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <e7bok7$t4$1@sea.gmane.org>
User-Agent: Mutt/1.4.2i
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On Jun 21 08:29, Andrew DeFaria wrote:
> The change is necessary since W2K3 tightened up security and permissions 
> on the Local System Account such that sshd would not be able to switch 
> user if it used that account. Instead it offers to create a new account 
> called sshd_server and bestow on it the required rights to switch user. 
> (I've been wondering why not bestow those rights directly to the Local 
> System Account? I mean it had them before... Obviously a security 
> decision, probably a wise one).

You'll be surprised, but on 2K3 the SYSTEM account still has all the
rights it has on previous systems.

The sad fact on 2K3 is that the SYSTEM account gets revoked the
SeCreateTokenName privilege *unconditionally* as soon as a service is
running under that account.  Unfortunately this is the privilege
necessary to allow password-less logins.

Whatever you do to the SYSTEM account, you'll not have the
SeCreateTokenName privilege in any service started under this account.
This is a Microsoft design decision to raise security.  Alas, the cygwin
mailing list is not the right place to discuss sense or nonsense of this
decision...


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/