Discussion:
Seteuid "operation not permitted" error when using LSA for sshd
Mark Pattie
2012-05-25 00:15:54 UTC
Permalink
Hi all,

I have installed Cygwin and am running sshd successfully. The
permission required for the sshd service account "create a token
object" is not permitted to be granted to any accounts in my
organization. As such I have decided to use LSA based on Method 2 on
the following page: http://cygwin.com/cygwin-ug-net/ntsec.html.

I had succesfully tested ssh authentication with a public/private
certificate pair prior to running /usr/bin/cyglsa-config to install
LSA. I ran the script, removed the "create a token object" permission
and rebooted the server. Now I cannot authenticate using the
public/private keys. I receive the following error in the Windows
event log:

sshd: PID 2780: fatal: seteuid 1003: Operation not permitted

When I add the permission back to the service account and restart sshd
the public/private key authentication works again

Any help would be great

Thanks,
Mark
Corinna Vinschen
2012-05-25 09:39:20 UTC
Permalink
Post by Mark Pattie
Hi all,
I have installed Cygwin and am running sshd successfully. The
permission required for the sshd service account "create a token
object" is not permitted to be granted to any accounts in my
organization. As such I have decided to use LSA based on Method 2 on
the following page: http://cygwin.com/cygwin-ug-net/ntsec.html.
I had succesfully tested ssh authentication with a public/private
certificate pair prior to running /usr/bin/cyglsa-config to install
LSA. I ran the script, removed the "create a token object" permission
and rebooted the server. Now I cannot authenticate using the
public/private keys. I receive the following error in the Windows
sshd: PID 2780: fatal: seteuid 1003: Operation not permitted
When I add the permission back to the service account and restart sshd
the public/private key authentication works again
Any help would be great
Does the account have TCB rights? That's required to run LSA auth.
Same for method 3, btw.


Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Red Hat
Mark Pattie
2012-05-28 00:10:33 UTC
Permalink
Thanks for responding so quickly.

In the security log I can see it has been assigned the privilege
SeTcbPrivilege. Security log entry:

Special privileges assigned to new logon.

Subject:
Security ID: BUILDSERVER\cygwin_sshd
Account Name: cygwin_sshd
Account Domain: BUILDSERVER
Logon ID: 0x12c1c4

Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege

In User Rights Assignment it has the following privileges:

Act as part of the operating system
Adjust memory quotas for a process
Logon as a service
Replace a process level token

Thanks,
Mark
Post by Corinna Vinschen
Does the account have TCB rights? That's required to run LSA auth.
Same for method 3, btw.
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Red Hat
Hi all,
I have installed Cygwin and am running sshd successfully. The
permission required for the sshd service account "create a token
object" is not permitted to be granted to any accounts in my
organization. As such I have decided to use LSA based on Method 2 on
the following page: http://cygwin.com/cygwin-ug-net/ntsec.html.
I had succesfully tested ssh authentication with a public/private
certificate pair prior to running /usr/bin/cyglsa-config to install
LSA. I ran the script, removed the "create a token object" permission
and rebooted the server. Now I cannot authenticate using the
public/private keys. I receive the following error in the Windows
sshd: PID 2780: fatal: seteuid 1003: Operation not permitted
When I add the permission back to the service account and restart sshd
the public/private key authentication works again
Any help would be great
Thanks,
Mark
Mark Pattie
2012-05-29 02:41:23 UTC
Permalink
I have now removed Cygwin completely from the server and reinstalled.
I am using the default service account that Cygwin creates for sshd
(cyg_server), removed the "create a token object" permission for this
account and configured the LSA package but have the same problem. Any
advice on troubleshooting this issue further or any insight would be
great.

Thanks,
Mark
Post by Mark Pattie
Thanks for responding so quickly.
In the security log I can see it has been assigned the privilege
Special privileges assigned to new logon.
       Security ID:            BUILDSERVER\cygwin_sshd
       Account Name:           cygwin_sshd
       Account Domain:         BUILDSERVER
       Logon ID:               0x12c1c4
Privileges:             SeAssignPrimaryTokenPrivilege
                       SeTcbPrivilege
                       SeSecurityPrivilege
                       SeTakeOwnershipPrivilege
                       SeLoadDriverPrivilege
                       SeBackupPrivilege
                       SeRestorePrivilege
                       SeDebugPrivilege
                       SeSystemEnvironmentPrivilege
                       SeImpersonatePrivilege
Act as part of the operating system
Adjust memory quotas for a process
Logon as a service
Replace a process level token
Thanks,
Mark
Does the account have TCB rights?  That's required to run LSA auth.
Same for method 3, btw.
Corinna
--
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat
Hi all,
I have installed Cygwin and am running sshd successfully. The
permission required for the sshd service account "create a token
object" is not permitted to be granted to any accounts in my
organization. As such I have decided to use LSA based on Method 2 on
the following page: http://cygwin.com/cygwin-ug-net/ntsec.html.
I had succesfully tested ssh authentication with a public/private
certificate pair prior to running /usr/bin/cyglsa-config to install
LSA. I ran the script, removed the "create a token object" permission
and rebooted the server. Now I cannot authenticate using the
public/private keys. I receive the following error in the Windows
sshd: PID 2780: fatal: seteuid 1003: Operation not permitted
When I add the permission back to the service account and restart sshd
the public/private key authentication works again
Any help would be great
Thanks,
Mark
Corinna Vinschen
2012-05-29 12:50:57 UTC
Permalink
Post by Mark Pattie
I have now removed Cygwin completely from the server and reinstalled.
I am using the default service account that Cygwin creates for sshd
(cyg_server), removed the "create a token object" permission for this
account and configured the LSA package but have the same problem. Any
advice on troubleshooting this issue further or any insight would be
great.
There's nothing you can do. I have tested this scenario and it turns
out that it's a problem with the cyglsa DLL itself, not even related
to the permissions, but a generic problem.

I have fixed that in CVS (tested on W7 and XP). The next developer
snapshot (I will create one today or tomorrow) on
http://cygwin.com/snapshots/ will contain this patch. Just rip the
cyglsa.dll file from the cygwin-inst-YYYYMMDD.tar.bz2 package, copy
it to the /bin/cyglsa directory and reboot. This should hopefully
fix your problem. Please report back.


Thanks,
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Red Hat
David Koppenhofer
2012-08-01 18:43:23 UTC
Permalink
Post by Corinna Vinschen
Post by Mark Pattie
I have now removed Cygwin completely from the server and reinstalled.
I am using the default service account that Cygwin creates for sshd
(cyg_server), removed the "create a token object" permission for this
account and configured the LSA package but have the same problem. Any
advice on troubleshooting this issue further or any insight would be
great.
There's nothing you can do. I have tested this scenario and it turns
out that it's a problem with the cyglsa DLL itself, not even related
to the permissions, but a generic problem.
I have fixed that in CVS (tested on W7 and XP). The next developer
snapshot (I will create one today or tomorrow) on
http://cygwin.com/snapshots/ will contain this patch. Just rip the
cyglsa.dll file from the cygwin-inst-YYYYMMDD.tar.bz2 package, copy
it to the /bin/cyglsa directory and reboot. This should hopefully
fix your problem. Please report back.
Thanks,
Corinna
Hi Corinna,

I'm trying to get Cygwin sshd working with public key authentication on a Server
2008R2 box. I don't have the "create a token object" permission either, so
followed the information in this thread to try to get LSA working:
I ran the /usr/bin/cyglsa-config script, downloaded the
cygwin-inst-20120530.tar.bz2 snapshot, and extracted the cyglsa64.dll file to
/bin/cyglsa/

I rebooted the server, made sure the sshd service was running, but I still
receive the "sshd: PID 3064: fatal: seteuid 1000: Operation not permitted" error.

Is there anything else I can try?

Thanks,
David
Corinna Vinschen
2012-08-02 09:11:19 UTC
Permalink
Post by David Koppenhofer
I'm trying to get Cygwin sshd working with public key authentication on a Server
2008R2 box. I don't have the "create a token object" permission either, so
I ran the /usr/bin/cyglsa-config script, downloaded the
cygwin-inst-20120530.tar.bz2 snapshot, and extracted the cyglsa64.dll file to
/bin/cyglsa/
Why did you install cyglsa64 from the old snapshot? The changes to
cyglsa are supposed to be in the Cygwin 1.7.16 package anyway. I just
checked the cyglsa64.dll binary and it looks ok. I installed Cygwin
1.7.16 on my 2008R2 test machine, ran cyglsa-config, rebooted, and
started the sshd service, and it works for me.
Post by David Koppenhofer
I rebooted the server, made sure the sshd service was running, but I still
receive the "sshd: PID 3064: fatal: seteuid 1000: Operation not permitted" error.
Does the service account have TCB privileges? That's a hard requirement
for the user switch.


Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Red Hat
David Koppenhofer
2012-08-02 18:39:40 UTC
Permalink
Post by Corinna Vinschen
Why did you install cyglsa64 from the old snapshot? The changes to
cyglsa are supposed to be in the Cygwin 1.7.16 package anyway.
Because I was grasping for straws, and didn't know the fix was in the current
package.
Post by Corinna Vinschen
Post by David Koppenhofer
I rebooted the server, made sure the sshd service was running, but I still
receive the "sshd: PID 3064: fatal: seteuid 1000: Operation not permitted" error.
Does the service account have TCB privileges? That's a hard requirement
for the user switch.
Ah ha! The service account does not have the "Act as part of the operating
system" permission.

However, I ended up asking the network admin to give "Create a token object" to
the service account. Since key authentication started working after that, I'll
just leave things as they are.

Thanks for your help.

David
Corinna Vinschen
2012-08-03 07:48:58 UTC
Permalink
Post by David Koppenhofer
Post by Corinna Vinschen
Why did you install cyglsa64 from the old snapshot? The changes to
cyglsa are supposed to be in the Cygwin 1.7.16 package anyway.
Because I was grasping for straws, and didn't know the fix was in the current
package.
Post by Corinna Vinschen
Post by David Koppenhofer
I rebooted the server, made sure the sshd service was running, but I still
receive the "sshd: PID 3064: fatal: seteuid 1000: Operation not permitted"
error.
Post by Corinna Vinschen
Does the service account have TCB privileges? That's a hard requirement
for the user switch.
Ah ha! The service account does not have the "Act as part of the operating
system" permission.
However, I ended up asking the network admin to give "Create a token object" to
the service account. Since key authentication started working after that, I'll
just leave things as they are.
If the restrictions of this mode, especially in terms of network shares,
are no problem for you, that's fine. Otherwise I'd like to point out
http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview


Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Red Hat
Loading...