Re: Key-based authentication fails when keys are in Samba directory

[Larry Hall <cygwin-lh@cygwin.com>]

Can an unauthenticated user access //sambaserver/username via Windows?
If not, that's the real problem.  You'll have to use password authentication
unless you change the access.  I'd be surprised if your problem is driven by
directory/file permission issues anyway, since you have StrictModes turned 
off.  Fiddling with permissions when they aren't being checked isn't going
to do much AFAICS.

Larry


At 04:25 PM 10/24/2003, Hugh Brown you wrote:
>I have Cygwin and OpenSSH set up on a number of Win2K machines.
>Home directories for users are mounted via a FreeBSD-based Samba
>server named Whistler.  SSH to the Win2K machines works without any
>problems *except* for key-based authentication where the
>~/.ssh/authorized_keys file is in a Samba-mounted home directory.
>
>I found email from Brian Hayward
>(http://sources.redhat.com/ml/cygwin/2003-10/msg00479.html) from a
>couple of weeks ago, which seems pretty similar.  However, when I
>try the solution (running "setfacl -m u:system:r-- ~ ~/.ssh
>~/.ssh/authorized_keys", where ~ is a Samba-mounted home directory),
>I get an error message that says "Function not implemented."  I
>don't get this error message when I try it on a local home directoy,
>like /home/administrator.  (I've also tried appending keys in
>authorized_keys2 to authorized_keys, without any more success.)
>
>I *have* been able to get key-based authentication to work if I set
>up a home directory for the user on the Win2K machine.  In other
>words, I change the home directory listed in /etc/passwd from
>"//sambaserver/username" to "/home/username", create the directory,
>and copy over the user's .ssh directory.  However, at this point
>they no longer have access to their home directory, so it's less
>than ideal.  And for the record, password-based authentication works
>without any problem at all.
>
>On the Samba server, some home directories are mounted via NFS from
>other FreeBSD machines via amd, and some are on the machine itself;
>this doesn't seem to make any difference -- key-based authentication
>keeps failing.  
>
>I thought it might be a problem with symlinks
>(http://www.cygwin.com/faq/faq_4.html#SEC69).  To test, I tried
>setting my home directory in Cygwin's /etc/passwd to a temporary
>directory on Whistler (one that was not mounted via AMD, and had
>no symbolic links at all) and copying the
>.ssh directory in there; it still didn't work.
>
>Here's the debug log from the ssh daemon when I try to log in:
>
>debug1: userauth-request for user hbrown service ssh-connection method publickey
>debug1: attempt 1 failures 1
>debug2: input_userauth_request: try method publickey
>debug1: test whether pkalg/pkblob are acceptable
>debug3: mm_key_allowed entering
>debug3: mm_request_send entering: type 20
>debug3: monitor_read: checking request 20
>debug3: mm_answer_keyallowed entering
>debug3: mm_answer_keyallowed: key_from_blob: 0x100f4888
>debug1: temporarily_use_uid: 13044/545 (e=18/18)
>debug1: trying public key file //whistler/hbrown/.ssh/authorized_keys
>debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
>debug3: mm_request_receive_expect entering: type 21
>debug3: mm_request_receive entering
>debug1: restore_uid: (unprivileged)
>debug1: temporarily_use_uid: 13044/545 (e=18/18)
>debug1: trying public key file //whistler/hbrown/.ssh/authorized_keys2
>debug1: restore_uid: (unprivileged)
>debug3: mm_answer_keyallowed: key 0x100f4888 is disallowed
>debug3: mm_request_send entering: type 21
>debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa
>Failed publickey for hbrown from 192.168.0.80 port 2621 ssh2
> 
>Directory permissions for ~hbrown, listed in Cygwin:
>
> $ ls -ld .ssh
> drwxr-xr-x    2 hbrown   Users           0 Oct 23 13:31 .ssh
>
> $ ls -ld .ssh/authorized_keys*
>  -rw-r--r--    1 hbrown   Users        3894 Oct 23 16:08 .ssh/authorized_keys
>  -rw-r--r--    1 hbrown   Users        1221 Oct 23 15:55 .ssh/authorized_keys2
>
>And the options in sshd_config that are not commented out:
>
>Port 22
>StrictModes no
>UsePrivilegeSeparation yes
>Subsystem      sftp    /usr/sbin/sftp-server
>
>Finally, I've attached the output of cygcheck -s -v -r.  
>
>Thanks in advance for any help you can give me, and please let me
>know if I've left anything out.
>
>-- 
>Hugh Brown
>hbrown@dyaptive.com
>
>--
>Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>Problem reports:       http://cygwin.com/problems.html
>Documentation:         http://cygwin.com/docs.html
>FAQ:                   http://cygwin.com/faq/ 


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/