Problem with ssh(d)

Problem with ssh(d)

[Strasser, Dominik (DI SW ICS ICV)]

Hi all,
I am facing the following problem with my sshd installation.

We are in an AD environment. AD holds the needed data for ssh(d) to 
work. I can log into cygwin using ssh. But if I have a key stored 
.ssh/authorized_keys for passwordless login, the groups my user is in 
differs from the one w/o an authorized keys. Unfortunately exactly the 
group(s) for accessing the shared filesystems is missing. We were 
investigating a lot and the only workaround we found is that the sshd 
service runs under the user we want to log in. This unfortunately 
disables any other user to log into the cygwin machine. When debugging 
ssh with -vvv, there is no visible difference between the login with 
authorized_keys or without (of course there is a difference wrt. the 
login method).

This is cygwin 3.2.0 and openssh openssh-8.8p1-1.

Any clues ?

Best regards

Dominik

-- 
Dominik Strasser       | Phone:  +49 89 99013-436
OneSpin Solutions GmbH | Fax:    +49 89 99013-100
Nymphenburgerstr. 20a
80335 Muenchen         | dominik.strasser@onespin.com

OneSpin Solutions GmbH
A Siemens business

Geschaeftsfuehrung: Thomas Heurung, Frank Thurauf
Sitz: Muenchen; Amtsgericht Muenchen HRB 139 464
UstID#: DE 814 413 215

RE: [cygwin] Problem with ssh(d)

[Jason Pyeron]

> -----Original Message-----
> From: Strasser, Dominik (DI SW ICS ICV)
> Sent: Wednesday, November 10, 2021 9:50 AM
> 
> Hi all,
> I am facing the following problem with my sshd installation.
> 
> We are in an AD environment. AD holds the needed data for ssh(d) to
> work. I can log into cygwin using ssh. But if I have a key stored
> .ssh/authorized_keys for passwordless login, the groups my user is in
> differs from the one w/o an authorized keys. Unfortunately exactly the
> group(s) for accessing the shared filesystems is missing. We were
> investigating a lot and the only workaround we found is that the sshd
> service runs under the user we want to log in. This unfortunately
> disables any other user to log into the cygwin machine. When debugging
> ssh with -vvv, there is no visible difference between the login with
> authorized_keys or without (of course there is a difference wrt. the
> login method).
> 
> This is cygwin 3.2.0 and openssh openssh-8.8p1-1.
> 
> Any clues ?

Passwordless login and network shares are incompatible by Microsoft design. You can see this in Microsoft task scheduler as well.

Our solution is to not rely on network file sharing, as it is disabled in our environment anyway due to security issues.

v/r,

Jason Pyeron

--
Jason Pyeron  | Architect
PD Inc        | Certified SBA 8(a)
10 w 24th St  | Certified SBA HUBZone
Baltimore, MD | CAGE Code: 1WVR6
 
.mil: jason.j.pyeron.ctr@mail.mil
.com: jpyeron@pdinc.us
tel : 202-741-9397

Re: Problem with ssh(d)

[Strasser, Dominik (DI SW ICS ICV)]

Hi Bill,

On 10.11.2021 16:10, Bill Stewart wrote:
> On Wed, Nov 10, 2021 at 7:52 AM Strasser, Dominik (DI SW ICS ICV) 
> <dominik.strasser@onespin.com> wrote:
>
>     We are in an AD environment. AD holds the needed data for ssh(d) to
>     work. I can log into cygwin using ssh. But if I have a key stored
>     .ssh/authorized_keys for passwordless login, the groups my user is in
>     differs from the one w/o an authorized keys. Unfortunately exactly
>     the
>     group(s) for accessing the shared filesystems is missing. We were
>     investigating a lot and the only workaround we found is that the sshd
>     service runs under the user we want to log in. This unfortunately
>     disables any other user to log into the cygwin machine. When
>     debugging
>     ssh with -vvv, there is no visible difference between the login with
>     authorized_keys or without (of course there is a difference wrt. the
>     login method).
>
>
> The OpenSSH server service should be running as local system, not as a 
> specific user.
I know that this is the standard installation. But we absolutely need 
passwordless login. So this was the workaround we found.
The number of groups differs when sshd is run as local system, and when 
authorized_keys exist or not. Groups are OK, when it is run under the 
one user we absolutely need the passwordless login.

Regards

Dominik
>
> Bill

-- 
Dominik Strasser       | Phone:  +49 89 99013-436
OneSpin Solutions GmbH | Fax:    +49 89 99013-100
Nymphenburgerstr. 20a
80335 Muenchen         |dominik.strasser@onespin.com

OneSpin Solutions GmbH
A Siemens business

Geschaeftsfuehrung: Thomas Heurung, Frank Thurauf
Sitz: Muenchen; Amtsgericht Muenchen HRB 139 464
UstID#: DE 814 413 215

Re: Problem with ssh(d)

[Bill Stewart]

On Wed, Nov 10, 2021 at 8:28 AM Strasser, Dominik (DI SW ICS ICV) wrote:

I know that this is the standard installation. But we absolutely need
> passwordless login. So this was the workaround we found.
> The number of groups differs when sshd is run as local system, and when
> authorized_keys exist or not. Groups are OK, when it is run under the one
> user we absolutely need the passwordless login.
>

Password-less logon is supported when running as local system. I do this
all the time, so there must be something that is not correct about your
configuration.

Sorry, don't know what that might be.

Bill

RE: [cygwin] Re: Problem with ssh(d)

[Jason Pyeron]

> -----Original Message-----
> From: Bill Stewart
> Sent: Wednesday, November 10, 2021 10:44 AM
> 
> On Wed, Nov 10, 2021 at 8:28 AM Strasser, Dominik (DI SW ICS ICV) wrote:
> 
> I know that this is the standard installation. But we absolutely need
> > passwordless login. So this was the workaround we found.
> > The number of groups differs when sshd is run as local system, and when
> > authorized_keys exist or not. Groups are OK, when it is run under the one
> > user we absolutely need the passwordless login.
> >
> 
> Password-less logon is supported when running as local system. I do this
> all the time, so there must be something that is not correct about your
> configuration.
> 
> Sorry, don't know what that might be.

I slightly misread the email.

To be clear password less login works - BUT as I said MS design choices result in a different security token being issues without password vs with password.

As such your ability to access certain resources are limited.

Enumerate the groups you have as PKI authentication then bless those groups to perform the action needed.

-Jason

--
Jason Pyeron  | Architect
PD Inc        | Certified SBA 8(a)
10 w 24th St  | Certified SBA HUBZone
Baltimore, MD | CAGE Code: 1WVR6
 
.mil: jason.j.pyeron.ctr@mail.mil
.com: jpyeron@pdinc.us
tel : 202-741-9397