Windows Server 2003 Security Question
From: Des Atkinson (Des_at_metron.co.uk)
Date: 10/06/05
- Previous message: Udit Narayan Mishra: "Proble facing in ssh connection through Unix batch application"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 6 Oct 2005 10:03:11 +0100 To: <secureshell@securityfocus.com>
Hi,
I have a security question please concerning the use of OpenSSH server
on a Windows Server 2003 system that acts as the ActiveDirectory/Domain
Controller system (let us call the domain MYDOM).
Both my client machine (running Windows 2000 Pro at Service Pack 5) and
the server (Windows Server 2003 Enterprise Edition at Service Pack 1)
are running OpenSSH_4.1p1. I wish to connect between the two using
public key authentication, and the user I am using at both ends is the
same one called usersrv. This user was set up on the Active Directory
machine and is therefore a domain user. So ./usersrv (i.e.
MYDOM/usersrv) is the logon user for the sshd service.
Now to install the OpenSSH service initially on the AD/DC system
requires local admin rights plus the other usual special permissions for
./usersrv so that the service can be installed and started.
Our requirement is that ./usersrv be demoted as soon as possible from
the local Administrators group on the AC/DC system. Ideally this would
be once the service was installed. However what we have found by
experimentation is that you must make an initial OpenSSH connection
between the client and the server and that the connecting user must have
Admin rights on the AD/DC system. Once that is done you can then demote
the ./userv user from the local Admin group on the AC/DC system.
Thereafter public key authentication will continue to work so long as
you use the same user at both ends (which we are). You can also stop and
restart the sshd service successfully.
Is there a way around this, please? We know that after demoting the
./usersrv user connection using password authentication, or using public
key authentication with a different user at each end will not work -
however that does not worry us. However is there a way that we can get
public key authentication to work first time using the same domain user
at each end where that user does not have local admin rights on the
AC/DC Windows Server?
*************************************
Des Atkinson
Technical Director
Metron Technology Ltd.
Osborne House, Trull Road
Taunton, TA1 4PX
tel: +44 (0)1823 259231
fax: +44 (0)1823 334502
e-mail: desa@metron.co.uk
www: http://www.metron.co.uk/
**************************************
Views expressed are those of the sender only
& should not be taken as company policy.
**************************************
- Previous message: Udit Narayan Mishra: "Proble facing in ssh connection through Unix batch application"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
