From: Andrey Repin <anrdaemon@yandex.ru>
To: Andrea Venturoli <ml@netfence.it>, cygwin@cygwin.com
Subject: Re: Sshd and key based authentication
Date: Mon, 18 Nov 2013 08:35:00 -0000 [thread overview]
Message-ID: <1679047089.20131118122233@mtu-net.ru> (raw)
In-Reply-To: <5289C8BD.1010109@netfence.it>
Greetings, Andrea Venturoli!
> I'm trying to set up sshd on a Windows 2003 domain controller.
> Everything works with password authentication; however I need this for a
> script, so, in order to get non-interactive login, I must use keys.
> Tried as hard as I could, but I could not achieve this: I'm always asked
> for a password.
> I read several posts which say I need to use local accounts, not domain
> accounts; however, the machine being a DC, I don't have Local security
> policy or Local users in Control panel or Administrative tool.
> So, this is the fragment from my /etc/passwd:
>> sshd:unused:2259:513:sshd privsep,U-MYDOMAIN\sshd,S-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX:/var/empty:/bin/false
>> cyg_server:unused:2265:513:cyg_server,U-MYDOMAIN\cyg_server,S-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXXX-XXXX:/home/cyg_server:/bin/bash
> "ssh -vvv" suggest the key is presented to the server, but key
> authentication does not succeed anyway. Nothing special is logged
> server-side and ssh moves on to password authentiation.
> On with the questions...
> Is this supposed to work? Several posts say so, but no one mentions a
> domain controller... Does it bring in anything special?
Not that I know of.
> Are the above users correct? Any problem with it?
They are irrelevant.
Both only used to start up the service.
> What are correct ownership and permissions of /home, /home/myuser,
> /home/myuser/.ssh and /home/myuser/.ssh/authorized_keys?
sshd only check permissions on $HOME/.ssh and authorized_keys (as far as I'm
aware) - they need to be (as a safest bet) owned by user logging in and don't
have write permission by anyone except the owner (and SYSTEM).
> According to some how-tos, ssh-host-confing should have prompted with
> "CYGWIN=" and I should have replied "tty ntsec",
Long time gone.
http://cygwin.com/cygwin-ug-net/using-cygwinenv.html#cygwinenv-removed-options
> but this did not
> happen. Other how-tos suggest putting this variable in the environment.
> Is this information current or obsolete? I tried and it didn't seem to
> matter...
> Any other hint?
Did you installed Cygwin LSA module?
http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd2
--
WBR,
Andrey Repin (anrdaemon@yandex.ru) 18.11.2013, <12:13>
Sorry for my terrible english...
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
next prev parent reply other threads:[~2013-11-18 8:35 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-18 7:59 Andrea Venturoli
2013-11-18 8:35 ` Andrey Repin [this message]
2013-11-18 9:18 ` Andrea Venturoli
2013-11-20 17:37 ` Andrea Venturoli
2013-11-20 21:50 ` Andrey Repin
2013-11-26 17:12 ` Andrea Venturoli
2013-11-26 20:25 ` Larry Hall (Cygwin)
2013-11-20 23:00 ` Larry Hall (Cygwin)
2013-11-18 18:11 ` Larry Hall (Cygwin)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1679047089.20131118122233@mtu-net.ru \
--to=anrdaemon@yandex.ru \
--cc=cygwin@cygwin.com \
--cc=ml@netfence.it \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).