Recent Posts
Recent Comments
Popular Articles
About Me
Posted by Ankur Shah in I’ve been having a hard time getting sshd to accept logins on a Windows 7 x64 box. The problems ranged from the error mentioned in the subject line (“/bin/bash: permission denied” appearing during logins) to silent failures during password authentication, during which the ssh
connection would simply be closed by the instance of Cygwin sshd running on my machine.
As it turns out, all my problems were caused by the fact that the sshd_server user being created by the ssh-host-config script was not being given all the required privileges. I’m not sure why, but I found an online description of the rights required by sshd_server and used the
“editrights” utility to grant them. I then deleted my ~/.ssh directory (definitively to erase the known_hosts file), restarted sshd, and everything began to work perfectly.
Unfortunately, I neglected to record which privileges had been granted to the sshd_server user on my system before I started granting additional ones, but as far as I remember sshd_server only had 2 or so of the 8 privileges granted.
In case the information helps anyone else, here is a list of the privileges that the sshd_server user appears to need:
SeIncreaseQuotaPrivilege
SeTcbPrivilege
SeAssignPrimaryTokenPrivilege
SeCreateTokenPrivilege
SeServiceLogonRight
SeDenyInteractiveLogonRight
SeDenyNetworkLogonRight
SeDenyRemoteInteractiveLogonRight
To determine which privileges sshd_server has on your system, use this
command:
editrights -u sshd_server -l
And here are the commands necessary to grant the above privileges to
sshd_server:
editrights -a SeTcbPrivilege -u sshd_server
editrights -a SeAssignPrimaryTokenPrivilege -u sshd_server
editrights -a SeCreateTokenPrivilege -u sshd_server
editrights -a SeDenyInteractiveLogonRight -u sshd_server
editrights -a SeDenyNetworkLogonRight -u sshd_server
editrights -a SeDenyRemoteInteractiveLogonRight -u sshd_server
editrights -a SeIncreaseQuotaPrivilege -u sshd_server
editrights -a SeServiceLogonRight -u sshd_server
very well information you write it very
clean. I’m very lucky to get this information from you.
Thanks Ankur. Great article!
Btw, the list of privileges that the sshd_server user needs is defined in:
/usr/share/csih/cygwin-service-installation-helper.sh
The above script is called by the install script for sshd: ssh-host-config
I believe the privileges are only required if sshd is configured to use “privilege separation”, though it is most likely less secure to run sshd without “privilege separation”.
In our case, we suspect that some of the required privileges on the sshd_server user were being deleted periodically, perhaps by some “helpful” security auditing software, which is quite likely as we’re in a large corporate environment
Cheers,
Nick
Actually, I just confirmed, a privileged user *is* created, even when “privilege separation” is used for sshd.
Cheers,
Nick
Correction to my post above (dated June 25th, 2010 at 2:10pm):
A privileged user is created by ssh-host-config, regardless of whether the answer to the “privilege separation” question is “yes” or “no”.
Cheers,
Nick
@Ankur Shah: I experienced the same problem several times by now. For me it seems as if the sshd-host-config script isn’t able to set these privileges correctly on Domain Controllers. After I used the editrights commands above I was able to render sshd usable on all trouble-machines.
@Nicholas Fone: YES – the privileges may be overwritten by group policies pushed from the each Domain Controller. This mustn’t be caused by auditing software. Just check back with the Microsoft Infrastructure Admins of your company – they could even setup a domain user account to be used with the local sshd-installs for you (easier managemen: only one user for all sshd-installs instead of one local account on each sshd-enabled machine).