From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 21263 invoked by alias); 6 Nov 2013 15:24:51 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 21243 invoked by uid 89); 6 Nov 2013 15:24:51 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=0.5 required=5.0 tests=AWL,BAYES_50,RDNS_NONE,URIBL_BLOCKED autolearn=no version=3.3.2 X-HELO: vms173009pub.verizon.net Received: from Unknown (HELO vms173009pub.verizon.net) (206.46.173.9) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Wed, 06 Nov 2013 15:23:38 +0000 Received: from [192.168.1.231] ([unknown] [74.104.179.122]) by vms173009.mailsrvcs.net (Sun Java(tm) System Messaging Server 7u2-7.02 32bit (built Apr 16 2009)) with ESMTPA id <0MVU00BTQLERCK90@vms173009.mailsrvcs.net> for cygwin@cygwin.com; Wed, 06 Nov 2013 09:23:20 -0600 (CST) Message-id: <527A5EE5.2070206@cygwin.com> Date: Wed, 06 Nov 2013 15:24:00 -0000 From: "Larry Hall (Cygwin)" Reply-to: cygwin@cygwin.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.1.0 MIME-version: 1.0 To: cygwin@cygwin.com Subject: Re: Windows Guest Account Locked SSH References: <3B5A3AEF8D16D1489ECFF9EB07DA0B99976FA34A@CBPDEXCHAS01.gmpnt.rootdom.gmp.police.cjx.gov.uk> <3B5A3AEF8D16D1489ECFF9EB07DA0B99976FA3B2@CBPDEXCHAS01.gmpnt.rootdom.gmp.police.cjx.gov.uk> <3B5A3AEF8D16D1489ECFF9EB07DA0B99976FA3D4@CBPDEXCHAS01.gmpnt.rootdom.gmp.police.cjx.gov.uk> <3B5A3AEF8D16D1489ECFF9EB07DA0B99976FA3EB@CBPDEXCHAS01.gmpnt.rootdom.gmp.police.cjx.gov.uk> In-reply-to: <3B5A3AEF8D16D1489ECFF9EB07DA0B99976FA3EB@CBPDEXCHAS01.gmpnt.rootdom.gmp.police.cjx.gov.uk> Content-type: text/plain; charset=ISO-8859-1; format=flowed Content-transfer-encoding: 7bit X-SW-Source: 2013-11/txt/msg00152.txt.bz2 On 11/6/2013 5:26 AM, Jez.Noake@gmp.police.uk wrote: > I have a similar problem to this post: > http://cygwin.com/ml/cygwin/2012-06/msg00507.html > > except that the version I am using is 1.7.25, downloaded relatively recently. > > It seems that making an ssh connection to the CygWin host, using RSA > certificate to achieve passwordless connection, causes the SSHD service on > the host to perform an authentication using the account that the service is > hosted with ... but that it apparently does not qualify the account with a > domain (ie. the local machine) and apparently the assumption is that it > should be a DOMAIN account - there was no DOMAIN\CYG_SERVER account so it > fails and I assume it then tries DOMAIN\Guest as a fall-back, with the wrong > password and therefore locks out DOMAIN\Guest > > So I created a DOMAIN\CYG_SERVER account with the same password as > \CYG_SERVER and presto!, SSH connections from my client with no > domain guest lockout. > > I have googled to infinity and beyond and found only a few references to > this problem, and none of them suggest this or any other solution, merely > that you can try this and that (one relating to duplicated SID's - not the > reason) > Can anyone specify a better solution than creating a matching domain account? > > I can't help thinking that I have missed some configuration item that > would deal with this directly. No, this is exactly the way to do it. ssh-host-config cannot create a privileged domain account when run as any user from any machine so it doesn't try to. If you need a domain user to be able to authenticate with pubkey, you have to do what you did to make that work. The side effect of locking the domain guest account is a new twist I hadn't heard of before but then again, it is Windows we're talking about. ;-) -- Larry _____________________________________________________________________ A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting annoying in email? -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple