Passwordless login with ssh

Passwordless login with ssh

[Andrew DeFaria]

Sorry, I searched the list and did not get a definitive answer. What I'm 
trying to do is to secure things up a little bit around here. I would 
like to use ssh. But I also want to allow valid users to ssh <remove> 
<command> without being prompted for a password. I'm not sure this is 
doable.

Reading from openssh-3.7.1p2-1.README I see

    Authentication to sshd is possible in one of two ways. You'll have
    to decide before starting sshd!

    - If you want to authenticate via RSA and you want to login to that
    machine to exactly one user account you can do so by running sshd
    under that user account. You must change /etc/sshd_config to contain
    the following:

    RSAAuthentication yes

    Moreover it's possible to use rhosts and/or rhosts with RSA
    authentication by setting the following in sshd_config:

    RhostsAuthentication yes
    RhostsRSAAuthentication yes

Seems to me that the above says I can only use RSA Authentication IFF 
I'm only want to allow one username to be able to login. Or

    - If you want to be able to login to different user accounts you'll
    have to start sshd under system account or any other account that is
    able to switch user context. Note that administrators are _not_ 
    able to do that by default! You'll have to give the following
    special user rights to the user:

    "Act as part of the operating system"
    "Replace process level token"
    "Increase quotas"

    and if used via service manager

    "Logon as a service".

    The system account does of course own that user rights by default.

    Unfortunately, if you choose that way, you can only logon with NT
    password authentification and you should change /etc/sshd_config to
    contain the following:

    PasswordAuthentication yes
    RhostsAuthentication no
    RhostsRSAAuthentication no
    RSAAuthentication no

    However you can login to the user which has started sshd with RSA
    authentication anyway. If you want that, change the RSA
    authentication setting back to "yes":

    RSAAuthentication yes

Seems to say that I can allow multiple users to login with ssh but I 
can't allow RSA authentication, hence I can't have passwordless logins. 
Is there any way to allow passwordless logins through ssh for a group of 
people?
-- 
A flying saucer results when a nudist spills his coffee.



--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Passwordless login with ssh

[Mark Priest]

Andrew,

You are reading too much into the README.  The point of the note is that the
account that runs ssh must be capable of switching user accounts without a
password.  This requires the Windows permissions of
"Act as part of the operating system"
"Replace process level token" and
"Increase quotas"

The simplest way to accomplish this is to run the /bin/ssh-host-config
script which will install ssh as a service running with the System account.
You can log in to as many accounts as you want as long as you configure each
account correctly.  The simplest way to configure an account correctly is to
log into that account, run a Cygwin shell and execute the
/bin/ssh-user-confog script.

Good luck,
Mark

>
----- Original Message ----- 
From: "Andrew DeFaria" <ADeFaria@Salira.com>
To: <cygwin@cygwin.com>
Sent: Wednesday, October 15, 2003 7:51 PM
Subject: Passwordless login with ssh


> Sorry, I searched the list and did not get a definitive answer. What I'm
> trying to do is to secure things up a little bit around here. I would
> like to use ssh. But I also want to allow valid users to ssh <remove>
> <command> without being prompted for a password. I'm not sure this is
> doable.
>
> Reading from openssh-3.7.1p2-1.README I see
>
>     Authentication to sshd is possible in one of two ways. You'll have
>     to decide before starting sshd!
>
>     - If you want to authenticate via RSA and you want to login to that
>     machine to exactly one user account you can do so by running sshd
>     under that user account. You must change /etc/sshd_config to contain
>     the following:
>
>     RSAAuthentication yes
>
>     Moreover it's possible to use rhosts and/or rhosts with RSA
>     authentication by setting the following in sshd_config:
>
>     RhostsAuthentication yes
>     RhostsRSAAuthentication yes
>
> Seems to me that the above says I can only use RSA Authentication IFF
> I'm only want to allow one username to be able to login. Or
>
>     - If you want to be able to login to different user accounts you'll
>     have to start sshd under system account or any other account that is
>     able to switch user context. Note that administrators are _not_
>     able to do that by default! You'll have to give the following
>     special user rights to the user:
>
>     "Act as part of the operating system"
>     "Replace process level token"
>     "Increase quotas"
>
>     and if used via service manager
>
>     "Logon as a service".
>
>     The system account does of course own that user rights by default.
>
>     Unfortunately, if you choose that way, you can only logon with NT
>     password authentification and you should change /etc/sshd_config to
>     contain the following:
>
>     PasswordAuthentication yes
>     RhostsAuthentication no
>     RhostsRSAAuthentication no
>     RSAAuthentication no
>
>     However you can login to the user which has started sshd with RSA
>     authentication anyway. If you want that, change the RSA
>     authentication setting back to "yes":
>
>     RSAAuthentication yes
>
> Seems to say that I can allow multiple users to login with ssh but I
> can't allow RSA authentication, hence I can't have passwordless logins.
> Is there any way to allow passwordless logins through ssh for a group of
> people?
> -- 
> A flying saucer results when a nudist spills his coffee.
>
>
>
> --
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
> Problem reports:       http://cygwin.com/problems.html
> Documentation:         http://cygwin.com/docs.html
> FAQ:                   http://cygwin.com/faq/
>
>



--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Passwordless login with ssh

[Corinna Vinschen]

On Wed, Oct 15, 2003 at 04:51:58PM -0700, Andrew DeFaria wrote:
> Sorry, I searched the list and did not get a definitive answer. What I'm 
> trying to do is to secure things up a little bit around here. I would 
> like to use ssh. But I also want to allow valid users to ssh <remove> 
> <command> without being prompted for a password. I'm not sure this is 
> doable.
> 
> Reading from openssh-3.7.1p2-1.README I see
> 
>    Authentication to sshd is possible in one of two ways. You'll have
>    to decide before starting sshd!
> 
>    - If you want to authenticate via RSA and you want to login to that
>    machine to exactly one user account you can do so by running sshd
>    under that user account. You must change /etc/sshd_config to contain
>    the following:
> 
>    RSAAuthentication yes
> 
>    Moreover it's possible to use rhosts and/or rhosts with RSA
>    authentication by setting the following in sshd_config:
> 
>    RhostsAuthentication yes
>    RhostsRSAAuthentication yes
> 
> Seems to me that the above says I can only use RSA Authentication IFF 
> I'm only want to allow one username to be able to login. Or

You missed the part under "Important change since 2.9p2":

  "Since Cygwin is able to switch user context without password beginning
   with version 1.3.2, OpenSSH now allows to do so when it's running under
   a version >= 1.3.2. Keep in mind that `ntsec' has to be activated to
   allow that feature."

This is a bit too brief, I admit.  Actually, the account who may switch
user context without password needs "create a token object" privilege.
This is by default only the SYSTEM user.  So, running sshd under SYSTEM
account gives you what you want.  Except on 2003 Server.  There you'll
have to create a new account (say "sshd_srv", *not* "sshd") which is
part of the admins group and has the appropriate extra privileges

  "Create a token object"
  "Replace process level token"
  "Increase quotas"
  "Logon as a service"

>    The system account does of course own that user rights by default.
> 
>    Unfortunately, if you choose that way, you can only logon with NT
>    password authentification and you should change /etc/sshd_config to
>    contain the following:

Yeah, should be rewritten.

>    RhostsAuthentication no

Ugh.  Rhosts authentication is dropped entirerly since 3.7p1.  

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Passwordless login with ssh

[Andrew DeFaria]

Corinna Vinschen wrote:

> On Wed, Oct 15, 2003 at 04:51:58PM -0700, Andrew DeFaria wrote:
>
>> Sorry, I searched the list and did not get a definitive answer. What 
>> I'm trying to do is to secure things up a little bit around here. I 
>> would like to use ssh. But I also want to allow valid users to ssh 
>> <remove> <command> without being prompted for a password. I'm not 
>> sure this is doable.
>>
>> Reading from openssh-3.7.1p2-1.README I see
>>
>> Authentication to sshd is possible in one of two ways. You'll have to 
>> decide before starting sshd!
>>
>> - If you want to authenticate via RSA and you want to login to that 
>> machine to exactly one user account you can do so by running sshd 
>> under that user account. You must change /etc/sshd_config to contain 
>> the following:
>>
>> RSAAuthentication yes
>>
>> Moreover it's possible to use rhosts and/or rhosts with RSA 
>> authentication by setting the following in sshd_config:
>>
>> RhostsAuthentication yes
>> RhostsRSAAuthentication yes
>>
>> Seems to me that the above says I can only use RSA Authentication IFF 
>> I'm only want to allow one username to be able to login. Or
>
> You missed the part under "Important change since 2.9p2":
>
> "Since Cygwin is able to switch user context without password 
> beginning with version 1.3.2, OpenSSH now allows to do so when it's 
> running under a version >= 1.3.2. Keep in mind that `ntsec' has to be 
> activated to allow that feature."

No I saw that part too however it just seemed more confusing to me.

> This is a bit too brief, I admit. Actually, the account who may switch 
> user context without password needs "create a token object" privilege. 
> This is by default only the SYSTEM user. So, running sshd under SYSTEM 
> account gives you what you want. 

I currently have sshd running correctly as a service. I can log in as 
any user however right now I need to specify my password:

$ ssh starbase id
Andrew@starbase's password:
uid=1003(Andrew) gid=513(DeFaria) 
groups=513(DeFaria),544(Administrators),545(Users)

Now from what I see I need to run ssh-user-config to generate the 
neccessary keys for passwordless login:

$ ssh-user-config
/home/Andrew DeFaria
/home/Andrew DeFaria is set in /etc/passwd as your home directory
but it is not a valid directory. Cannot create user identity files.

Ugh! Seems ssh-user-config doesn't support directories with spaces in 
them! (Would it be hard/impossible to support this?) Let me demonstrate 
my problem at work where I have a home directory without a space.

$ ssh adefaria id
adefaria@adefaria's password:
uid=1370(adefaria) gid=513(Domain Users) 
groups=1834(clearcase),512(Domain Admins),513(Domain 
Users),2637(Employees-US-Security),1170(Everybody),1331(Software),1866(Software-US-Security)

Same situation. I can use ssh for any user but I must enter a password. 
Now for ssh-user-config:

$ ssh-user-config
Shall I create an SSH1 RSA identity file for you? (yes/no) yes
Generating /us/adefaria/.ssh/identity
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Do you want to use this identity to login to this machine? (yes/no) yes
Adding to /us/adefaria/.ssh/authorized_keys
Shall I create an SSH2 RSA identity file for you? (yes/no)  (yes/no) yes
Generating /us/adefaria/.ssh/id_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Do you want to use this identity to login to this machine? (yes/no) yes
Adding to /us/adefaria/.ssh/authorized_keys
Shall I create an SSH2 DSA identity file for you? (yes/no)  (yes/no) yes
Generating /us/adefaria/.ssh/id_dsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Do you want to use this identity to login to this machine? (yes/no) yes
Adding to /us/adefaria/.ssh/authorized_keys

Configuration finished. Have fun!

$ ssh adefaria id
adefaria@adefaria's password:
uid=1370(adefaria) gid=513(Domain Users) 
groups=1834(clearcase),512(Domain Admins),513(Domain 
Users),2637(Employees-US-Security),1170(Everybody),1331(Software),1866(Software-US-Security)

As you can see ssh-user-config did not change the need to enter my 
password for ssh.

> Except on 2003 Server. There you'll have to create a new account (say 
> "sshd_srv", *not* "sshd") which is part of the admins group and has 
> the appropriate extra privileges
>
> "Create a token object"
> "Replace process level token"
> "Increase quotas"
> "Logon as a service"
>
>> The system account does of course own that user rights by default.
>>
>> Unfortunately, if you choose that way, you can only logon with NT 
>> password authentification and you should change /etc/sshd_config to 
>> contain the following:
>
> Yeah, should be rewritten.
>
>> RhostsAuthentication no
>
> Ugh. Rhosts authentication is dropped entirerly since 3.7p1.
>
> Corinna



--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Passwordless login with ssh

[Igor Pechtchanski]

On Thu, 16 Oct 2003, Andrew DeFaria wrote:

> Corinna Vinschen wrote:
>
> > On Wed, Oct 15, 2003 at 04:51:58PM -0700, Andrew DeFaria wrote:
> >
> >> Sorry, I searched the list and did not get a definitive answer. What
> >> I'm trying to do is to secure things up a little bit around here. I
> >> would like to use ssh. But I also want to allow valid users to ssh
> >> <remove> <command> without being prompted for a password. I'm not
> >> sure this is doable.
> >>
> >> Reading from openssh-3.7.1p2-1.README I see
> >>
> >> Authentication to sshd is possible in one of two ways. You'll have to
> >> decide before starting sshd!
> >>
> >> - If you want to authenticate via RSA and you want to login to that
> >> machine to exactly one user account you can do so by running sshd
> >> under that user account. You must change /etc/sshd_config to contain
> >> the following:
> >>
> >> RSAAuthentication yes
> >>
> >> Moreover it's possible to use rhosts and/or rhosts with RSA
> >> authentication by setting the following in sshd_config:
> >>
> >> RhostsAuthentication yes
> >> RhostsRSAAuthentication yes
> >>
> >> Seems to me that the above says I can only use RSA Authentication IFF
> >> I'm only want to allow one username to be able to login. Or
> >
> > You missed the part under "Important change since 2.9p2":
> >
> > "Since Cygwin is able to switch user context without password
> > beginning with version 1.3.2, OpenSSH now allows to do so when it's
> > running under a version >= 1.3.2. Keep in mind that `ntsec' has to be
> > activated to allow that feature."
>
> No I saw that part too however it just seemed more confusing to me.
>
> > This is a bit too brief, I admit. Actually, the account who may switch
> > user context without password needs "create a token object" privilege.
> > This is by default only the SYSTEM user. So, running sshd under SYSTEM
> > account gives you what you want.
>
> I currently have sshd running correctly as a service. I can log in as
> any user however right now I need to specify my password:
>
> $ ssh starbase id
> Andrew@starbase's password:
> uid=1003(Andrew) gid=513(DeFaria)
> groups=513(DeFaria),544(Administrators),545(Users)
>
> Now from what I see I need to run ssh-user-config to generate the
> neccessary keys for passwordless login:
>
> $ ssh-user-config
> /home/Andrew DeFaria
> /home/Andrew DeFaria is set in /etc/passwd as your home directory
> but it is not a valid directory. Cannot create user identity files.
>
> Ugh! Seems ssh-user-config doesn't support directories with spaces in
> them! (Would it be hard/impossible to support this?) Let me demonstrate
> my problem at work where I have a home directory without a space.
>
> $ ssh adefaria id
> adefaria@adefaria's password:
> uid=1370(adefaria) gid=513(Domain Users)
> groups=1834(clearcase),512(Domain Admins),513(Domain
> Users),2637(Employees-US-Security),1170(Everybody),1331(Software),1866(Software-US-Security)
>
> Same situation. I can use ssh for any user but I must enter a password.
> Now for ssh-user-config:
>
> $ ssh-user-config
> Shall I create an SSH1 RSA identity file for you? (yes/no) yes
> Generating /us/adefaria/.ssh/identity
> Enter passphrase (empty for no passphrase):
> Enter same passphrase again:
> Do you want to use this identity to login to this machine? (yes/no) yes
> Adding to /us/adefaria/.ssh/authorized_keys
> Shall I create an SSH2 RSA identity file for you? (yes/no)  (yes/no) yes
> Generating /us/adefaria/.ssh/id_rsa
> Enter passphrase (empty for no passphrase):
> Enter same passphrase again:
> Do you want to use this identity to login to this machine? (yes/no) yes
> Adding to /us/adefaria/.ssh/authorized_keys
> Shall I create an SSH2 DSA identity file for you? (yes/no)  (yes/no) yes
> Generating /us/adefaria/.ssh/id_dsa
> Enter passphrase (empty for no passphrase):
> Enter same passphrase again:
> Do you want to use this identity to login to this machine? (yes/no) yes
> Adding to /us/adefaria/.ssh/authorized_keys
>
> Configuration finished. Have fun!
>
> $ ssh adefaria id
> adefaria@adefaria's password:
> uid=1370(adefaria) gid=513(Domain Users)
> groups=1834(clearcase),512(Domain Admins),513(Domain Users),2637(Employees-US-Security),1170(Everybody),1331(Software),1866(Software-US-Security)
>
> As you can see ssh-user-config did not change the need to enter my
> password for ssh.

ssh -v (or -vvv) should tell you why the authorized_keys aren't accepted.
It's possible the permissions are too lax on them.
	Igor
-- 
				http://cs.nyu.edu/~pechtcha/
      |\      _,,,---,,_		pechtcha@cs.nyu.edu
ZZZzz /,`.-'`'    -.  ;-;;,_		igor@watson.ibm.com
     |,4-  ) )-,_. ,\ (  `'-'		Igor Pechtchanski, Ph.D.
    '---''(_/--'  `-'\_) fL	a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!

"I have since come to realize that being between your mentor and his route
to the bathroom is a major career booster."  -- Patrick Naughton

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Passwordless login with ssh

[Mark Priest]

Andrew,

I have a home directory with a space in it.  The space appears in the
directory name as well as in the entry in passwd.  There is no problem
supporting that in Cygwin.  I had to create my home directories manually so
you might want to try doing the same thing.

-Mark

----- Original Message ----- 
From: "Andrew DeFaria" <Andrew@DeFaria.com>
To: <cygwin@cygwin.com>
Sent: Thursday, October 16, 2003 10:55 AM
Subject: Re: Passwordless login with ssh


> Corinna Vinschen wrote:
>
> > On Wed, Oct 15, 2003 at 04:51:58PM -0700, Andrew DeFaria wrote:
> >
> >> Sorry, I searched the list and did not get a definitive answer. What
> >> I'm trying to do is to secure things up a little bit around here. I
> >> would like to use ssh. But I also want to allow valid users to ssh
> >> <remove> <command> without being prompted for a password. I'm not
> >> sure this is doable.
> >>
> >> Reading from openssh-3.7.1p2-1.README I see
> >>
> >> Authentication to sshd is possible in one of two ways. You'll have to
> >> decide before starting sshd!
> >>
> >> - If you want to authenticate via RSA and you want to login to that
> >> machine to exactly one user account you can do so by running sshd
> >> under that user account. You must change /etc/sshd_config to contain
> >> the following:
> >>
> >> RSAAuthentication yes
> >>
> >> Moreover it's possible to use rhosts and/or rhosts with RSA
> >> authentication by setting the following in sshd_config:
> >>
> >> RhostsAuthentication yes
> >> RhostsRSAAuthentication yes
> >>
> >> Seems to me that the above says I can only use RSA Authentication IFF
> >> I'm only want to allow one username to be able to login. Or
> >
> > You missed the part under "Important change since 2.9p2":
> >
> > "Since Cygwin is able to switch user context without password
> > beginning with version 1.3.2, OpenSSH now allows to do so when it's
> > running under a version >= 1.3.2. Keep in mind that `ntsec' has to be
> > activated to allow that feature."
>
> No I saw that part too however it just seemed more confusing to me.
>
> > This is a bit too brief, I admit. Actually, the account who may switch
> > user context without password needs "create a token object" privilege.
> > This is by default only the SYSTEM user. So, running sshd under SYSTEM
> > account gives you what you want.
>
> I currently have sshd running correctly as a service. I can log in as
> any user however right now I need to specify my password:
>
> $ ssh starbase id
> Andrew@starbase's password:
> uid=1003(Andrew) gid=513(DeFaria)
> groups=513(DeFaria),544(Administrators),545(Users)
>
> Now from what I see I need to run ssh-user-config to generate the
> neccessary keys for passwordless login:
>
> $ ssh-user-config
> /home/Andrew DeFaria
> /home/Andrew DeFaria is set in /etc/passwd as your home directory
> but it is not a valid directory. Cannot create user identity files.
>
> Ugh! Seems ssh-user-config doesn't support directories with spaces in
> them! (Would it be hard/impossible to support this?) Let me demonstrate
> my problem at work where I have a home directory without a space.
>
> $ ssh adefaria id
> adefaria@adefaria's password:
> uid=1370(adefaria) gid=513(Domain Users)
> groups=1834(clearcase),512(Domain Admins),513(Domain
>
Users),2637(Employees-US-Security),1170(Everybody),1331(Software),1866(Softw
are-US-Security)
>
> Same situation. I can use ssh for any user but I must enter a password.
> Now for ssh-user-config:
>
> $ ssh-user-config
> Shall I create an SSH1 RSA identity file for you? (yes/no) yes
> Generating /us/adefaria/.ssh/identity
> Enter passphrase (empty for no passphrase):
> Enter same passphrase again:
> Do you want to use this identity to login to this machine? (yes/no) yes
> Adding to /us/adefaria/.ssh/authorized_keys
> Shall I create an SSH2 RSA identity file for you? (yes/no)  (yes/no) yes
> Generating /us/adefaria/.ssh/id_rsa
> Enter passphrase (empty for no passphrase):
> Enter same passphrase again:
> Do you want to use this identity to login to this machine? (yes/no) yes
> Adding to /us/adefaria/.ssh/authorized_keys
> Shall I create an SSH2 DSA identity file for you? (yes/no)  (yes/no) yes
> Generating /us/adefaria/.ssh/id_dsa
> Enter passphrase (empty for no passphrase):
> Enter same passphrase again:
> Do you want to use this identity to login to this machine? (yes/no) yes
> Adding to /us/adefaria/.ssh/authorized_keys
>
> Configuration finished. Have fun!
>
> $ ssh adefaria id
> adefaria@adefaria's password:
> uid=1370(adefaria) gid=513(Domain Users)
> groups=1834(clearcase),512(Domain Admins),513(Domain
>
Users),2637(Employees-US-Security),1170(Everybody),1331(Software),1866(Softw
are-US-Security)
>
> As you can see ssh-user-config did not change the need to enter my
> password for ssh.
>
> > Except on 2003 Server. There you'll have to create a new account (say
> > "sshd_srv", *not* "sshd") which is part of the admins group and has
> > the appropriate extra privileges
> >
> > "Create a token object"
> > "Replace process level token"
> > "Increase quotas"
> > "Logon as a service"
> >
> >> The system account does of course own that user rights by default.
> >>
> >> Unfortunately, if you choose that way, you can only logon with NT
> >> password authentification and you should change /etc/sshd_config to
> >> contain the following:
> >
> > Yeah, should be rewritten.
> >
> >> RhostsAuthentication no
> >
> > Ugh. Rhosts authentication is dropped entirerly since 3.7p1.
> >
> > Corinna
>
>
>
> --
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
> Problem reports:       http://cygwin.com/problems.html
> Documentation:         http://cygwin.com/docs.html
> FAQ:                   http://cygwin.com/faq/
>



--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Passwordless login with ssh

[Andrew DeFaria]

Mark Priest wrote:

> Andrew,
>
> I have a home directory with a space in it. The space appears in the 
> directory name as well as in the entry in passwd. There is no problem 
> supporting that in Cygwin. I had to create my home directories 
> manually so you might want to try doing the same thing.

I might want to try what same thing? Creating my home directory? I 
assure you that /home/Andrew DeFaria exists. It has exists for quite 
some time. By and large Cygwin's OK with it. Some things don't work with 
it. ssh-user-config is just another one of those things...

(I could remake my home directory to not have a space in it however I'm 
of the opinion that since space is a valid character for a filename that 
programs should be coded to handle such cases).

Note I also tried:

$ ln -s "/home/Andrew DeFaria" /home/Andrew

and changing my home directory in /etc/passwd to /home/Andrew as well as 
trying to use /home/Andrew~1 (the DOS mangled name for /home/Andrew 
DeFaria) in /etc/passwd to no avail.



--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Passwordless login with ssh

[Steven E. Harris]

Andrew DeFaria <Andrew@DeFaria.com> writes:

> Now for ssh-user-config:
>
> $ ssh-user-config
> Shall I create an SSH1 RSA identity file for you? (yes/no) yes
> Generating /us/adefaria/.ssh/identity
> Enter passphrase (empty for no passphrase):
> Enter same passphrase again:
> Do you want to use this identity to login to this machine? (yes/no) yes
> Adding to /us/adefaria/.ssh/authorized_keys

[...]

Now both your public and private keys are in your "adefaria" home
directory, and your public key is noted as authorized for login to
whatever host you're running on here.

> $ ssh adefaria id
> adefaria@adefaria's password:
> uid=1370(adefaria) gid=513(Domain Users)
> groups=1834(clearcase),512(Domain Admins),513(Domain
> Users),2637(Employees-US-Security),1170(Everybody),1331(Software),1866(Software-US-Security)
>
> As you can see ssh-user-config did not change the need to enter my
> password for ssh.

On what host are you running the ssh client here? Is your home
directory still the same "adefaria" on this host? It's not clear from
your example which hosts are involved, and I suspect the problem is
that your public and private keys are sitting in the right place on
the server, but you don't have your keys available on the client
host.

Usually key generation and adding a new public key to the
authorized_keys file don't take place on the same host. With Debian's
ssh package¹, there's a script called ssh-copy-id² that adds a local
key to a remote host's authorized_keys file. I was surprised to find
that the Cygwin ssh-user-config script didn't offer to do the remote
addition, as adding the key to the local host's authorized_keys file
will only help if you move the key pair elsewhere, or have access to
the same home directory from multiple hosts.


Footnotes: 
¹ http://packages.debian.org/stable/net/ssh.html
² http://www.eviladmin.org/cvs/cvsweb.cgi/contrib/ssh-copy-id

-- 
Steven E. Harris        :: seharris@raytheon.com
Raytheon                :: http://www.raytheon.com

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Passwordless login with ssh

[Rob S.i.k.l.o.s.]

Are you entering a passphrase when you generate your keys?  If so, try with
no passphrase.

Rob.

----- Original Message ----- 
From: "Andrew DeFaria" <Andrew@DeFaria.com>
To: <cygwin@cygwin.com>
Sent: Thursday, October 16, 2003 10:55 AM
Subject: Re: Passwordless login with ssh


> Corinna Vinschen wrote:
>
> > On Wed, Oct 15, 2003 at 04:51:58PM -0700, Andrew DeFaria wrote:
> >
> >> Sorry, I searched the list and did not get a definitive answer. What
> >> I'm trying to do is to secure things up a little bit around here. I
> >> would like to use ssh. But I also want to allow valid users to ssh
> >> <remove> <command> without being prompted for a password. I'm not
> >> sure this is doable.
> >>
> >> Reading from openssh-3.7.1p2-1.README I see
> >>
> >> Authentication to sshd is possible in one of two ways. You'll have to
> >> decide before starting sshd!
> >>
> >> - If you want to authenticate via RSA and you want to login to that
> >> machine to exactly one user account you can do so by running sshd
> >> under that user account. You must change /etc/sshd_config to contain
> >> the following:
> >>
> >> RSAAuthentication yes
> >>
> >> Moreover it's possible to use rhosts and/or rhosts with RSA
> >> authentication by setting the following in sshd_config:
> >>
> >> RhostsAuthentication yes
> >> RhostsRSAAuthentication yes
> >>
> >> Seems to me that the above says I can only use RSA Authentication IFF
> >> I'm only want to allow one username to be able to login. Or
> >
> > You missed the part under "Important change since 2.9p2":
> >
> > "Since Cygwin is able to switch user context without password
> > beginning with version 1.3.2, OpenSSH now allows to do so when it's
> > running under a version >= 1.3.2. Keep in mind that `ntsec' has to be
> > activated to allow that feature."
>
> No I saw that part too however it just seemed more confusing to me.
>
> > This is a bit too brief, I admit. Actually, the account who may switch
> > user context without password needs "create a token object" privilege.
> > This is by default only the SYSTEM user. So, running sshd under SYSTEM
> > account gives you what you want.
>
> I currently have sshd running correctly as a service. I can log in as
> any user however right now I need to specify my password:
>
> $ ssh starbase id
> Andrew@starbase's password:
> uid=1003(Andrew) gid=513(DeFaria)
> groups=513(DeFaria),544(Administrators),545(Users)
>
> Now from what I see I need to run ssh-user-config to generate the
> neccessary keys for passwordless login:
>
> $ ssh-user-config
> /home/Andrew DeFaria
> /home/Andrew DeFaria is set in /etc/passwd as your home directory
> but it is not a valid directory. Cannot create user identity files.
>
> Ugh! Seems ssh-user-config doesn't support directories with spaces in
> them! (Would it be hard/impossible to support this?) Let me demonstrate
> my problem at work where I have a home directory without a space.
>
> $ ssh adefaria id
> adefaria@adefaria's password:
> uid=1370(adefaria) gid=513(Domain Users)
> groups=1834(clearcase),512(Domain Admins),513(Domain
>
Users),2637(Employees-US-Security),1170(Everybody),1331(Software),1866(Softw
are-US-Security)
>
> Same situation. I can use ssh for any user but I must enter a password.
> Now for ssh-user-config:
>
> $ ssh-user-config
> Shall I create an SSH1 RSA identity file for you? (yes/no) yes
> Generating /us/adefaria/.ssh/identity
> Enter passphrase (empty for no passphrase):
> Enter same passphrase again:
> Do you want to use this identity to login to this machine? (yes/no) yes
> Adding to /us/adefaria/.ssh/authorized_keys
> Shall I create an SSH2 RSA identity file for you? (yes/no)  (yes/no) yes
> Generating /us/adefaria/.ssh/id_rsa
> Enter passphrase (empty for no passphrase):
> Enter same passphrase again:
> Do you want to use this identity to login to this machine? (yes/no) yes
> Adding to /us/adefaria/.ssh/authorized_keys
> Shall I create an SSH2 DSA identity file for you? (yes/no)  (yes/no) yes
> Generating /us/adefaria/.ssh/id_dsa
> Enter passphrase (empty for no passphrase):
> Enter same passphrase again:
> Do you want to use this identity to login to this machine? (yes/no) yes
> Adding to /us/adefaria/.ssh/authorized_keys
>
> Configuration finished. Have fun!
>
> $ ssh adefaria id
> adefaria@adefaria's password:
> uid=1370(adefaria) gid=513(Domain Users)
> groups=1834(clearcase),512(Domain Admins),513(Domain
>
Users),2637(Employees-US-Security),1170(Everybody),1331(Software),1866(Softw
are-US-Security)
>
> As you can see ssh-user-config did not change the need to enter my
> password for ssh.
>
> > Except on 2003 Server. There you'll have to create a new account (say
> > "sshd_srv", *not* "sshd") which is part of the admins group and has
> > the appropriate extra privileges
> >
> > "Create a token object"
> > "Replace process level token"
> > "Increase quotas"
> > "Logon as a service"
> >
> >> The system account does of course own that user rights by default.
> >>
> >> Unfortunately, if you choose that way, you can only logon with NT
> >> password authentification and you should change /etc/sshd_config to
> >> contain the following:
> >
> > Yeah, should be rewritten.
> >
> >> RhostsAuthentication no
> >
> > Ugh. Rhosts authentication is dropped entirerly since 3.7p1.
> >
> > Corinna
>
>
>
> --
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
> Problem reports:       http://cygwin.com/problems.html
> Documentation:         http://cygwin.com/docs.html
> FAQ:                   http://cygwin.com/faq/
>
>


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Passwordless login with ssh

[Andrew DeFaria]

Andrew DeFaria wrote:

> Mark Priest wrote:
>
>> Andrew,
>>
>> I have a home directory with a space in it. The space appears in the 
>> directory name as well as in the entry in passwd. There is no problem 
>> supporting that in Cygwin. I had to create my home directories 
>> manually so you might want to try doing the same thing.
>
>
> I might want to try what same thing? Creating my home directory? I 
> assure you that /home/Andrew DeFaria exists. It has exists for quite 
> some time. By and large Cygwin's OK with it. Some things don't work 
> with it. ssh-user-config is just another one of those things...
>
> (I could remake my home directory to not have a space in it however 
> I'm of the opinion that since space is a valid character for a 
> filename that programs should be coded to handle such cases).
>
> Note I also tried:
>
> $ ln -s "/home/Andrew DeFaria" /home/Andrew
>
> and changing my home directory in /etc/passwd to /home/Andrew as well 
> as trying to use /home/Andrew~1 (the DOS mangled name for /home/Andrew 
> DeFaria) in /etc/passwd to no avail. 

Mea Culpa! I actually had two /etc/passwd lines with the same uid, one 
for Andrew and one for exim. The later was commented out (which I know 
isn't officially supported). ssh-user-config got confused when it had 
two /etc/passwd lines for a single uid.
-- 
Access denied--nah nah na nah nah!



--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Passwordless login with ssh

[Andrew DeFaria]

Igor Pechtchanski wrote:

>ssh -v (or -vvv) should tell you why the authorized_keys aren't accepted.
>It's possible the permissions are too lax on them.
>
This is ending up being the culprit. You see my home directory is on an 
SMB share. Now I had set CYGWIN to "ntsec smbntsec" in the Windows 
System Environment Variables so that services would see it and I thought 
that that would propogate down to the shells. But alas our /etc/profile 
explicitedly set CYGWIN to just "ntsec". With this setting my bash shell 
could chmod 600 <file> all it wanted to but if <file> was on an SMB 
share it would not change the mod bits! Changing /etc/profile to set 
CYGWIN to "ntsec smbntsec" now allows me to chmod on SMB shares. After 
setting the permissions correclty on the files in ~/.ssh ssh'ing works!

Now on to another problem. Perhaps this can't be done. As the user 
adefaria I wish to ssh to another machine as another user (ccadmin) and 
not be prompted with a password. Is this doable without "giving away the 
farm" security-wise? To allow certain users the right to ssh as another 
user without the need for a password?

Finally, I would like to ssh to my home machine without needing a 
password. At work I'm adefaria, at home I'm Andrew. I wish to

$ hostname
adefaria
$ echo $USER
adefaria
$ ssh Andrew@<home>.com

and have my home machine set up to allow adefaria@adefaria to come in as 
Andrew.
-- 
When something is "new and improved!". Which is it? If it's new, then 
there has never been anything before it. If it's an improvement, then 
there must have been something before it.



--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Passwordless login with ssh

[Igor Pechtchanski]

On Thu, 16 Oct 2003, Andrew DeFaria wrote:

> Igor Pechtchanski wrote:
>
> >ssh -v (or -vvv) should tell you why the authorized_keys aren't accepted.
> >It's possible the permissions are too lax on them.
>
> This is ending up being the culprit. You see my home directory is on an
> SMB share. Now I had set CYGWIN to "ntsec smbntsec" in the Windows
> System Environment Variables so that services would see it and I thought
> that that would propogate down to the shells. But alas our /etc/profile
> explicitedly set CYGWIN to just "ntsec". With this setting my bash shell
> could chmod 600 <file> all it wanted to but if <file> was on an SMB
> share it would not change the mod bits! Changing /etc/profile to set
> CYGWIN to "ntsec smbntsec" now allows me to chmod on SMB shares. After
> setting the permissions correclty on the files in ~/.ssh ssh'ing works!
>
> Now on to another problem. Perhaps this can't be done. As the user
> adefaria I wish to ssh to another machine as another user (ccadmin) and
> not be prompted with a password. Is this doable without "giving away the
> farm" security-wise? To allow certain users the right to ssh as another
> user without the need for a password?

Sure you can.  I do it all the time.  Simply generate a public/private key
pair for the user on your home machine, and add the public key to the
authorized_keys file for ccadmin.

> Finally, I would like to ssh to my home machine without needing a
> password. At work I'm adefaria, at home I'm Andrew. I wish to
>
> $ hostname
> adefaria
> $ echo $USER
> adefaria
> $ ssh Andrew@<home>.com
>
> and have my home machine set up to allow adefaria@adefaria to come in as
> Andrew.

Same as above: generate a key pair for adefaria at work, and add the
public key to the authorized keys file for Andrew at home.
	Igor
-- 
				http://cs.nyu.edu/~pechtcha/
      |\      _,,,---,,_		pechtcha@cs.nyu.edu
ZZZzz /,`.-'`'    -.  ;-;;,_		igor@watson.ibm.com
     |,4-  ) )-,_. ,\ (  `'-'		Igor Pechtchanski, Ph.D.
    '---''(_/--'  `-'\_) fL	a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!

"I have since come to realize that being between your mentor and his route
to the bathroom is a major career booster."  -- Patrick Naughton

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Passwordless login with ssh

[Andrew DeFaria]

Igor Pechtchanski wrote:

>> Now on to another problem. Perhaps this can't be done. As the user 
>> adefaria I wish to ssh to another machine as another user (ccadmin) 
>> and not be prompted with a password. Is this doable without "giving 
>> away the farm" security-wise? To allow certain users the right to ssh 
>> as another user without the need for a password?
>
> Sure you can. I do it all the time. Simply generate a public/private 
> key pair for the user on your home machine, and add the public key to 
> the authorized_keys file for ccadmin.

I'm figuring that out. Thanks for the guidance.

>> Finally, I would like to ssh to my home machine without needing a 
>> password. At work I'm adefaria, at home I'm Andrew. I wish to
>>
>> $ hostname
>> adefaria
>> $ echo $USER
>> adefaria
>> $ ssh Andrew@<home>.com
>>
>> and have my home machine set up to allow adefaria@adefaria to come in 
>> as Andrew.
>
> Same as above: generate a key pair for adefaria at work, and add the 
> public key to the authorized keys file for Andrew at home. 

Yes. This is cool. OK, thanks guys...



--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/