Re: Sshd and key based authentication

[Andrey Repin <anrdaemon@yandex.ru>]

Greetings, Andrea Venturoli!

> I'm trying to set up sshd on a Windows 2003 domain controller.
> Everything works with password authentication; however I need this for a 
> script, so, in order to get non-interactive login, I must use keys.
> Tried as hard as I could, but I could not achieve this: I'm always asked 
> for a password.



> I read several posts which say I need to use local accounts, not domain 
> accounts; however, the machine being a DC, I don't have Local security 
> policy or Local users in Control panel or Administrative tool.

> So, this is the fragment from my /etc/passwd:
>> sshd:unused:2259:513:sshd privsep,U-MYDOMAIN\sshd,S-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX:/var/empty:/bin/false
>> cyg_server:unused:2265:513:cyg_server,U-MYDOMAIN\cyg_server,S-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXXX-XXXX:/home/cyg_server:/bin/bash

> "ssh -vvv" suggest the key is presented to the server, but key 
> authentication does not succeed anyway. Nothing special is logged 
> server-side and ssh moves on to password authentiation.



> On with the questions...

> Is this supposed to work? Several posts say so, but no one mentions a 
> domain controller... Does it bring in anything special?

Not that I know of.

> Are the above users correct? Any problem with it?

They are irrelevant.
Both only used to start up the service.

> What are correct ownership and permissions of /home, /home/myuser, 
> /home/myuser/.ssh and /home/myuser/.ssh/authorized_keys?

sshd only check permissions on $HOME/.ssh and authorized_keys (as far as I'm
aware) - they need to be (as a safest bet) owned by user logging in and don't
have write permission by anyone except the owner (and SYSTEM).

> According to some how-tos, ssh-host-confing should have prompted with 
> "CYGWIN=" and I should have replied "tty ntsec",

Long time gone.
http://cygwin.com/cygwin-ug-net/using-cygwinenv.html#cygwinenv-removed-options

> but this did not 
> happen. Other how-tos suggest putting this variable in the environment.
> Is this information current or obsolete? I tried and it didn't seem to 
> matter...

> Any other hint?

Did you installed Cygwin LSA module?
http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd2


--
WBR,
Andrey Repin (anrdaemon@yandex.ru) 18.11.2013, <12:13>

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple