Cygwin user permissions for sftp (Operation not permitted)

Question

So, I installed Cygwin 1.7.17 on Win7, I used mkpasswd to bring in a domain user (my main admin account). I used mkpasswd again to bring in a local account I created called "ffftp".

mkpasswd -d -u administrator > /etc/passwd
mkpasswd -l -u ffftp >> /etc/passwd

I used mkgroup to bring in all the necessary windows groups.

I can type

$ login
user: ffftp
password: mypassword

And it logs in... but it says this:

Last login: Tue Apr 16 11:36:49 on pty0
login: no shell: /bin/bash: Operation not permitted

The local user ffftp is just a regular "User" group in windows.

The SID for ffftp starts with S-1-5-21.

I've already created a cygwin/home/ffftp

And set its permissions in windows.

How can I possibly set the private key for "ffftp", if I cannot login to that user?? What am I missing???

Also if anyone has a guide on setting up AES encryption with cygwin sshd that would be greatly appreciated.

Answer 1

I got error

/bin/bash: Operation not permitted

when connecting to sshd after updating Cygwin from version 1.7.9 to version 2.9.0. The probable cause of the problem is the lack of the "Replace a Process Level Token" privilege for "cyg_server" user. However, the rights of local administrator were not enough to grant this privilege on the computer in domain. My solution ( partial):

run "CYGWIN sshd" service under domain user account instead of "cyg_server".

This allows you to connect to sshd only under this user (when you try to connect under another user, error occurs).

You can also go back to old version of Cygwin (for example, 1.7.30-1), but this solution has no future.

Answer 2

I spent a lot of time trying to solve the same problem. Accidentally stumbled upon a solution here:

https://cygwin.com/ml/cygwin/2015-08/msg00162.html

On cygwin server:

1. Go to Control Panel > Administrative Tools.
2. Select Local Security Policy > Local Policies > User Rights Assignment.
3. Right-click Replace a Process Level Token and select Security or Properties.
4. Click Add to add the account sshd is running on. ( cyg_server in my case )
5. gpupdate
6. Restart sshd service

Now try to connect via ssh ... I was successful

Answer 3

Here is how I resolved the error:

/bin/bash: Operation not permitted

First, in the /etc/passwd file, the local user that you created (ffftp) should have a default group associated with it.

For example, my local user is called sshd_server. The group ID# associated with my local user account is 544. It is the number located before the text to describe the local account (Privileged server). See here:

sshd_server:unused:1004:544:Privileged server,U-USCHEPMSTGP01\sshd_server,S-1-5-21-2770448234-4262186856-4033879849-1004:/var/empty:/bin/bash

You may compare this group ID# with the list of groups defined to /etc/group.

Administrators:S-1-5-32-544:544:

Users:S-1-5-32-545:545:

None:S-1-5-21-2770448234-4262186856-4033879849-513:513:

Domain Users:S-1-5-21-329068152-343818398-1801674531-513:10513:

To make my Cygwin SSH connection work, I had to modify my /etc/passwd file, and change the group associated with my local account (sshd_server) to the group ID# associated with "None."

sshd_server:unused:1004:513:Privileged server,U-USCHEPMSTGP01\sshd_server,S-1-5-21-2770448234-4262186856-4033879849-1004:/var/empty:/bin/bash

By changing my group ID# in /etc/passwd from 544 (Administrators) to 513 (None), this error was resolved.