This is the mail archive of the mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: shell under sshd fail to fork child process

Disclaimer: I am not an ssh expert by any means.  But, I have read enough
ssh related list traffic to know that the following is not supported.

On Thu, 11 Dec 2003, Matthew McGillis wrote:
> Brian Ford wrote:
> >Matthew McGillis wrote:
> >> I have installed the latest and greatest cygwin and sshd on a Small
> >>  Business Windows Server 2003. Everything works great on the console
> >>  and ssh'ing in and out works fine. However once I access the web
> >>  server running on the box anyone sshd in will no longer be able to
> >>  run anything that creates a child process. All cygwin functionality
> >>  from the console still works fine. I can look at the processes and
> >>  see srvc sshd and shells all running under SYSTEM.
> >>
> >Oops!                                         ^^^^^^
> >
> Not sure what your suggesting with this but for clarification I
> should point out that the bash child shells of sshd are not running
> as SYSTEM but as who ever logged in. My main point with that is that
> from the console it is still easy to see that things look fairly
> normal even though those shells tied to sshd can not fork processes.
What I was suggesting was to take that clue and read:


If you had done that, you would have seen the following without me having
to point it out to you and clutter the list with documentation excerpts.

This is the end of my knowledge in this area, so if you have further
problems, please take a close look at
before posting again.  Then, maybe someone else will be able to help more.

Important note for Windows 2003 Server users:

2003 Server has a funny new feature.  When starting services under SYSTEM
account, these services have nearly all user rights which SYSTEM holds...
except for the "Create a token object" right, which is needed to allow
public key authentication :-(

There's no way around this, except for creating a substitute account which
has the appropriate privileges.  Basically, this account should be member
of the administrators group, plus it should have the following user

        Create a token object
        Logon as a service
        Replace a process level token
        Increase Quota

The ssh-host-config script asks you, if it should create such an account,
called "sshd_server".  If you say "no" here, you're on your own.  Please
follow the instruction in ssh-host-config exactly if possible.  Note that
ssh-user-config sets the permissions on 2003 Server machines dependent of
whether a sshd_server account exists or not.

Brian Ford
Senior Realtime Software Engineer
VITAL - Visual Simulation Systems
FlightSafety International
Phone: 314-551-8460
Fax:   314-551-8444

Unsubscribe info:
Problem reports:

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]