1

Some progress: This is working for the cyg_server user. That is the user by which the sshd is service is running. But this is not working other users.

Some more progress: This is working for any account on which the services is started with. That is if we give credentials of a particular account in Log On tab of a service. Then it works for that account and so on.

Original Question:

cmdkey is a command used to display windows credential manager keys.

So I installed Cygwin sshd server in my local Windows. Booted into a Ubuntu vm and tried to ssh to my windows. This worked. When I run cmdkey command directly in my local this displays a set of credential manager keys. But when I'm running the same command from ssh login, this is giving an empty output.

I also observed any programs saving keys to windows credential manager are giving me A specified logon session does not exist. It may already have been terminated error. (Only when running via ssh)

Although there are some pointers towards the issue on the internet. I was not able to exactly find the root issue.

Edit: Additional Information

The program that I wrote is ultimately calling CredWriteW function from win api.

Could you help?

Disclosure: I asked this in superuser.com as well.

pinkpanther
  • 111
  • 6
  • What does "I run cmdkey command directly in my local" mean? A local windows user session? And when you are connecting to a deadmon (sshd) you don't see the users data (because it is running in another context)? – bjoster Nov 21 '17 at 16:52
  • @bjoster yes, a local windows session(direct login vs remote). cmdkey should generally return the credential keys stored in credential manager of that user. But via SSH it returns empty. And when I add the keys they are added. But they are not added to the original user account. I mean I think when I ssh into it, it's running in two different contexts as you said(if that's what you mean). My original problem is: I'm not able to save the data programmatically to credential manager. It gives me "No specified logon session exists error". The same program works fine locally. – pinkpanther Nov 21 '17 at 17:23
  • @bjoster Also, it's surprising for me that at least cmdkey /add works without error although it's not writing to the same user that I'm expecting to. But the programmatic one which uses CredWriteW win api call fails. When I say "the same user", I mean, I'm using the credentials of the existing user of my windows account via SSH. – pinkpanther Nov 21 '17 at 17:26
  • The *local* credential manager is only accessible in *local* user sessions. As sshd is usually running as a remoe (network) service, the user's local credentials are not accessible. RDP is opening up local user sessions, which would give you access. NetworkService and LocalService do not have the ability to impersonate to another local user session. – bjoster Nov 22 '17 at 15:23
  • But I don't know the differences between the API and the cmdkey-tool itself; mabe there is more magiv than straight using the API. Also, you are abviously not the first one confused by this: https://superuser.com/questions/1270014/why-is-cmdkey-is-giving-different-output-in-local-and-in-ssh/1270162 – bjoster Nov 22 '17 at 15:27
  • @bjoster That question was asked by me :) I mention that in my question description above. I came across cmdkey only when I was debugging the original issue. It's not actually relevant to me. My problem is that saving to credential manager is not working over SSH. – pinkpanther Nov 22 '17 at 16:17
  • I think your problem is, that you cannot save thing to the credential manager when not locally logged in. Which is the way the local credential manager is designed to work. – bjoster Nov 23 '17 at 08:48
  • @bjoster But see my update above, when I logon using cyg_server account on which the sshd is running, the credential manager is accessible but not for other accounts. cyg_server is a local administrator account that is created specifically for running sshd. – pinkpanther Nov 23 '17 at 08:56
  • @bjoster One more precise update, this will work for any user on which the service is launched with. That is Log On in tab of the service. – pinkpanther Nov 23 '17 at 09:13
  • The cyg_server account is not able to impersonate to other accounts (remotely). That's correct. – bjoster Nov 23 '17 at 11:37
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/69158/discussion-between-pinkpanther-and-bjoster). – pinkpanther Nov 23 '17 at 11:45

0 Answers0