Comments on: SOLVED: SSHD “/bin/bash:permission denied” on Windows 7 http://www.ankurshah.net/blog/2009/10/solved-sshd-binbashpermission-denied-on-windows-7/ A place where Ankur posts random thoughts, mostly personal and technology related. Fri, 14 Oct 2011 16:15:48 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: philmill http://www.ankurshah.net/blog/2009/10/solved-sshd-binbashpermission-denied-on-windows-7/comment-page-1/#comment-90235 philmill Tue, 06 Sep 2011 16:01:35 +0000 http://www.ankurshah.net/blog/?p=166#comment-90235 **I put the wrong UR on: SeAssignPrimaryTokenPrivilege -> UR:Impersonate a client after auth It should be: SeAssignPrimaryTokenPrivilege -> UR:Replace a process level token (UR:Impersonate a client after auth -> SeImpersonatePrivilege) Sorry about that. **I put the wrong UR on:
SeAssignPrimaryTokenPrivilege -> UR:Impersonate a client after auth

It should be:
SeAssignPrimaryTokenPrivilege -> UR:Replace a process level token

(UR:Impersonate a client after auth -> SeImpersonatePrivilege)

Sorry about that.

]]> By: PhilMill http://www.ankurshah.net/blog/2009/10/solved-sshd-binbashpermission-denied-on-windows-7/comment-page-1/#comment-89827 PhilMill Fri, 02 Sep 2011 19:59:04 +0000 http://www.ankurshah.net/blog/?p=166#comment-89827 Thank you so much for this entry. I would have never figured this one out. Had to map these permissions over to Group Policy, and figured others might need to know the mappings. All setting are in Local Security Settings -> Local Policies -> User Rights (UR): SeTcbPrivilege -> UR:Act as part of OS SeAssignPrimaryTokenPrivilege -> UR:Impersonate a client after auth SeCreateTokenPrivilege -> UR:Create a token object SeDenyInteractiveLogonRight -> UR:Deny log on locally SeDenyNetworkLogonRight -> UR:Deny Access to this computer from the network SeDenyRemoteInteractiveLogonRight -> Deny login through TS SeIncreaseQuotaPrivilege -> UR:Adjust memory quotas for a process SeServiceLogonRight -> UR:Log on as a service Cheers, Phil Thank you so much for this entry. I would have never figured this one out.

Had to map these permissions over to Group Policy, and figured others might need to know the mappings.
All setting are in Local Security Settings -> Local Policies -> User Rights (UR):

SeTcbPrivilege -> UR:Act as part of OS
SeAssignPrimaryTokenPrivilege -> UR:Impersonate a client after auth
SeCreateTokenPrivilege -> UR:Create a token object
SeDenyInteractiveLogonRight -> UR:Deny log on locally
SeDenyNetworkLogonRight -> UR:Deny Access to this computer from the network
SeDenyRemoteInteractiveLogonRight -> Deny login through TS
SeIncreaseQuotaPrivilege -> UR:Adjust memory quotas for a process
SeServiceLogonRight -> UR:Log on as a service

Cheers,
Phil

]]> By: BellsTheorem http://www.ankurshah.net/blog/2009/10/solved-sshd-binbashpermission-denied-on-windows-7/comment-page-1/#comment-86890 BellsTheorem Sun, 07 Aug 2011 23:11:57 +0000 http://www.ankurshah.net/blog/?p=166#comment-86890 Also, add sshd to administrators group in windows user management. Also, add sshd to administrators group in windows user management.

]]> By: BellsTheorem http://www.ankurshah.net/blog/2009/10/solved-sshd-binbashpermission-denied-on-windows-7/comment-page-1/#comment-86889 BellsTheorem Sun, 07 Aug 2011 23:01:52 +0000 http://www.ankurshah.net/blog/?p=166#comment-86889 Thanks so much!!!! Here's how i got sshd working on win7. (i am using username sshd rather than sshd_server) I started with http://pigtail.net/LRP/printsrv/cygwin-sshd.html and then chown sshd /etc/ssh* chown sshd /var/empty After running ssh-host-config , i had to open up Computer Manager / local user and groups and select properties for the sshd user and untick "disabled" and tick "password never expires" After all that, i was getting the /bin/bash: Permission denied problem and found your page and run the following and then it all worked !! editrights -a SeTcbPrivilege -u sshd editrights -a SeAssignPrimaryTokenPrivilege -u sshd editrights -a SeCreateTokenPrivilege -u sshd editrights -a SeDenyInteractiveLogonRight -u sshd editrights -a SeDenyNetworkLogonRight -u sshd editrights -a SeDenyRemoteInteractiveLogonRight -u sshd editrights -a SeIncreaseQuotaPrivilege -u sshd editrights -a SeServiceLogonRight -u sshd I would have never figured that out! Thanks so much!!!!
Here’s how i got sshd working on win7. (i am using username sshd rather than sshd_server)
I started with http://pigtail.net/LRP/printsrv/cygwin-sshd.html
and then
chown sshd /etc/ssh*
chown sshd /var/empty

After running ssh-host-config , i had to open up Computer Manager / local user and groups and select properties for the sshd user and untick “disabled” and tick “password never expires”

After all that, i was getting the /bin/bash: Permission denied problem and found your page and run the following and then it all worked !!

editrights -a SeTcbPrivilege -u sshd
editrights -a SeAssignPrimaryTokenPrivilege -u sshd
editrights -a SeCreateTokenPrivilege -u sshd
editrights -a SeDenyInteractiveLogonRight -u sshd
editrights -a SeDenyNetworkLogonRight -u sshd
editrights -a SeDenyRemoteInteractiveLogonRight -u sshd
editrights -a SeIncreaseQuotaPrivilege -u sshd
editrights -a SeServiceLogonRight -u sshd

I would have never figured that out!

]]> By: Mike http://www.ankurshah.net/blog/2009/10/solved-sshd-binbashpermission-denied-on-windows-7/comment-page-1/#comment-57309 Mike Fri, 13 Aug 2010 08:59:04 +0000 http://www.ankurshah.net/blog/?p=166#comment-57309 @Ankur Shah: I experienced the same problem several times by now. For me it seems as if the sshd-host-config script isn't able to set these privileges correctly on Domain Controllers. After I used the editrights commands above I was able to render sshd usable on all trouble-machines. @Nicholas Fone: YES - the privileges may be overwritten by group policies pushed from the each Domain Controller. This mustn't be caused by auditing software. Just check back with the Microsoft Infrastructure Admins of your company - they could even setup a domain user account to be used with the local sshd-installs for you (easier managemen: only one user for all sshd-installs instead of one local account on each sshd-enabled machine). @Ankur Shah: I experienced the same problem several times by now. For me it seems as if the sshd-host-config script isn’t able to set these privileges correctly on Domain Controllers. After I used the editrights commands above I was able to render sshd usable on all trouble-machines.

@Nicholas Fone: YES – the privileges may be overwritten by group policies pushed from the each Domain Controller. This mustn’t be caused by auditing software. Just check back with the Microsoft Infrastructure Admins of your company – they could even setup a domain user account to be used with the local sshd-installs for you (easier managemen: only one user for all sshd-installs instead of one local account on each sshd-enabled machine).

]]> By: Nicholas Fone http://www.ankurshah.net/blog/2009/10/solved-sshd-binbashpermission-denied-on-windows-7/comment-page-1/#comment-55154 Nicholas Fone Wed, 07 Jul 2010 15:55:04 +0000 http://www.ankurshah.net/blog/?p=166#comment-55154 Correction to my post above (dated June 25th, 2010 at 2:10pm): A privileged user is created by ssh-host-config, regardless of whether the answer to the "privilege separation" question is "yes" or "no". Cheers, Nick Correction to my post above (dated June 25th, 2010 at 2:10pm):

A privileged user is created by ssh-host-config, regardless of whether the answer to the “privilege separation” question is “yes” or “no”.

Cheers,
Nick

]]> By: Nicholas Fone http://www.ankurshah.net/blog/2009/10/solved-sshd-binbashpermission-denied-on-windows-7/comment-page-1/#comment-54657 Nicholas Fone Fri, 25 Jun 2010 18:10:47 +0000 http://www.ankurshah.net/blog/?p=166#comment-54657 Actually, I just confirmed, a privileged user *is* created, even when "privilege separation" is used for sshd. Cheers, Nick Actually, I just confirmed, a privileged user *is* created, even when “privilege separation” is used for sshd.

Cheers,
Nick

]]> By: Nicholas Fone http://www.ankurshah.net/blog/2009/10/solved-sshd-binbashpermission-denied-on-windows-7/comment-page-1/#comment-54656 Nicholas Fone Fri, 25 Jun 2010 17:46:48 +0000 http://www.ankurshah.net/blog/?p=166#comment-54656 Thanks Ankur. Great article! Btw, the list of privileges that the sshd_server user needs is defined in: /usr/share/csih/cygwin-service-installation-helper.sh The above script is called by the install script for sshd: ssh-host-config I believe the privileges are only required if sshd is configured to use "privilege separation", though it is most likely less secure to run sshd without "privilege separation". In our case, we suspect that some of the required privileges on the sshd_server user were being deleted periodically, perhaps by some "helpful" security auditing software, which is quite likely as we're in a large corporate environment :) Cheers, Nick Thanks Ankur. Great article!

Btw, the list of privileges that the sshd_server user needs is defined in:
/usr/share/csih/cygwin-service-installation-helper.sh

The above script is called by the install script for sshd: ssh-host-config

I believe the privileges are only required if sshd is configured to use “privilege separation”, though it is most likely less secure to run sshd without “privilege separation”.

In our case, we suspect that some of the required privileges on the sshd_server user were being deleted periodically, perhaps by some “helpful” security auditing software, which is quite likely as we’re in a large corporate environment :)

Cheers,
Nick

]]> By: Selinsa http://www.ankurshah.net/blog/2009/10/solved-sshd-binbashpermission-denied-on-windows-7/comment-page-1/#comment-52698 Selinsa Wed, 12 May 2010 20:21:00 +0000 http://www.ankurshah.net/blog/?p=166#comment-52698 very well information you write it very clean. I'm very lucky to get this information from you. very well information you write it very

clean. I’m very lucky to get this information from you.

]]>