Can't login to Cygwin sshd server with a non-administrator user account

ssh windows-server-2008 users cygwin

After way too much time spent stumbling around, I've finally discovered the cause of my problem. In short, I was getting "Permission denied" for my non-administrator users because on a DC, the Users group does not have the "Allow logon locally" user right. When sshd tried to switch context from the sshd service's account to a non-privileged user, the operation failed because the user didn't have the logon locally permission.

To fix, I had to edit the Default Domain Controller Policy to give the Users group the Allow logon locally right. This can be found in Group Policy Management > (your domain) > Group Policy Objects. Right-click, Edit. Go to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment. Open Allow logon locally and add the Users group (or, you may want to create a 'SSH users' group and add that instead).

After editing the policy, run gpupdate in a command prompt to refresh the changes and you're good to go.


It was hard but I finally figured it out.

  1. Run "mkpasswd -l > /etc/passwd".
  2. Go to the file and open it in notepad++ (c:\cygwin\etc...).
  3. There, you will notice that the account listings is similar to (for a local account) machine-name+username. (eg- xyz+joe:*:...)
  4. To be sure, open PuTTY and try to connect with this entire username. i.e. +. You should be able to get in.
  5. Now remove from passwd file, text till machine-name+ and let it be username only. (eg - joe:*:...).
  6. Now save and again try to connect.

Even though this worked for me, it may not for others. I will list down additional things that I did which may have also added to the success.
1. chmod'ing passwd and group file to rw.
2. Users should be in admin group.
3. Cygwin installation directory allowed rw access to the users.


I was having the same problems myself (today) and think I've figured it out. Before you can ssh in as the other users, those other users must be fully set up in cygwin. so for me, i needed to actually log in to windows as each non-admin user, and then (in that same windows session) open up a cygwin terminal (still, as the non-admin user) and just mess around for a second (e.g. run "ls", then see if you can't ssh into localhost ("ssh localhost"). as soon as i opened up a cygwin terminal, it generated some initial config details or whatever, and from that moment onwards I could ssh in as the non-admin user. hope this helps.

Related

Conficker: Should steps taken in group policy to secure against virus remain?
possible SYN flooding on port 80. Sending cookies
Apache RewriteMap with URLs containing space doesn't work
How to whitelist a user agent for nginx?
When a VirtualBox VM's Adapter is set to NAT can a VM access the Host computer?
Is there a license / royalty free DRM available for protecting and distributing content? [closed]
Why is it that 32bit Windows XP can only address 3GB [duplicate]
Recovering files from laptop with XP that won't boot
How can I install the Linux version of USBView (the USB device viewer)?
BSOD trying to migrate Windows XP from a physical to a virtual machine
How to host different machines with different subdomains?
Under Mac OS X, can I choose to use the Wireless connection for some specific traffic and the Wired connection for the rest?