Sshd and key based authentication

Sshd and key based authentication

[Andrea Venturoli]

Hello.

I'm trying to set up sshd on a Windows 2003 domain controller.
Everything works with password authentication; however I need this for a 
script, so, in order to get non-interactive login, I must use keys.
Tried as hard as I could, but I could not achieve this: I'm always asked 
for a password.



I read several posts which say I need to use local accounts, not domain 
accounts; however, the machine being a DC, I don't have Local security 
policy or Local users in Control panel or Administrative tool.

So, this is the fragment from my /etc/passwd:
> sshd:unused:2259:513:sshd privsep,U-MYDOMAIN\sshd,S-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX:/var/empty:/bin/false
> cyg_server:unused:2265:513:cyg_server,U-MYDOMAIN\cyg_server,S-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXXX-XXXX:/home/cyg_server:/bin/bash

"ssh -vvv" suggest the key is presented to the server, but key 
authentication does not succeed anyway. Nothing special is logged 
server-side and ssh moves on to password authentiation.



On with the questions...

Is this supposed to work? Several posts say so, but no one mentions a 
domain controller... Does it bring in anything special?

Are the above users correct? Any problem with it?

What are correct ownership and permissions of /home, /home/myuser, 
/home/myuser/.ssh and /home/myuser/.ssh/authorized_keys?

According to some how-tos, ssh-host-confing should have prompted with 
"CYGWIN=" and I should have replied "tty ntsec", but this did not 
happen. Other how-tos suggest putting this variable in the environment.
Is this information current or obsolete? I tried and it didn't seem to 
matter...



Any other hint?

  bye & Thanks
	av.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Sshd and key based authentication

[Andrey Repin]

Greetings, Andrea Venturoli!

> I'm trying to set up sshd on a Windows 2003 domain controller.
> Everything works with password authentication; however I need this for a 
> script, so, in order to get non-interactive login, I must use keys.
> Tried as hard as I could, but I could not achieve this: I'm always asked 
> for a password.



> I read several posts which say I need to use local accounts, not domain 
> accounts; however, the machine being a DC, I don't have Local security 
> policy or Local users in Control panel or Administrative tool.

> So, this is the fragment from my /etc/passwd:
>> sshd:unused:2259:513:sshd privsep,U-MYDOMAIN\sshd,S-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX:/var/empty:/bin/false
>> cyg_server:unused:2265:513:cyg_server,U-MYDOMAIN\cyg_server,S-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXXX-XXXX:/home/cyg_server:/bin/bash

> "ssh -vvv" suggest the key is presented to the server, but key 
> authentication does not succeed anyway. Nothing special is logged 
> server-side and ssh moves on to password authentiation.



> On with the questions...

> Is this supposed to work? Several posts say so, but no one mentions a 
> domain controller... Does it bring in anything special?

Not that I know of.

> Are the above users correct? Any problem with it?

They are irrelevant.
Both only used to start up the service.

> What are correct ownership and permissions of /home, /home/myuser, 
> /home/myuser/.ssh and /home/myuser/.ssh/authorized_keys?

sshd only check permissions on $HOME/.ssh and authorized_keys (as far as I'm
aware) - they need to be (as a safest bet) owned by user logging in and don't
have write permission by anyone except the owner (and SYSTEM).

> According to some how-tos, ssh-host-confing should have prompted with 
> "CYGWIN=" and I should have replied "tty ntsec",

Long time gone.
http://cygwin.com/cygwin-ug-net/using-cygwinenv.html#cygwinenv-removed-options

> but this did not 
> happen. Other how-tos suggest putting this variable in the environment.
> Is this information current or obsolete? I tried and it didn't seem to 
> matter...

> Any other hint?

Did you installed Cygwin LSA module?
http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd2


--
WBR,
Andrey Repin (anrdaemon@yandex.ru) 18.11.2013, <12:13>

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Sshd and key based authentication

[Andrea Venturoli]

On 11/18/13 09:22, Andrey Repin wrote:

> Did you installed Cygwin LSA module?
> http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd2

I don't think so, but I can't check right now...

Should I?

  bye & Thanks
	av.


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Sshd and key based authentication

[Larry Hall (Cygwin)]

On 11/18/2013 2:58 AM, Andrea Venturoli wrote:
> Hello.
>
> I'm trying to set up sshd on a Windows 2003 domain controller.
> Everything works with password authentication; however I need this for a
> script, so, in order to get non-interactive login, I must use keys.
> Tried as hard as I could, but I could not achieve this: I'm always asked for
> a password.

<snip>

> Is this supposed to work? Several posts say so, but no one mentions a domain
> controller... Does it bring in anything special?

If you want/have to use domain user logins, then you need to create a
domain equivalent of 'cyg_server'.  You can use the scripts that
'ssh-host-config' uses as a guide to do this but the actual process
must be done by hand and you need access and permission on your domain
controller to set this up.

'ssh-host-config' will not handle this case for you.

> Are the above users correct? Any problem with it?

For local users, no, no problem.

> What are correct ownership and permissions of /home, /home/myuser,
> /home/myuser/.ssh and /home/myuser/.ssh/authorized_keys?

'ssh-host-config' will set these up for you.  I suggest you use it.

> According to some how-tos, ssh-host-confing should have prompted with
> "CYGWIN=" and I should have replied "tty ntsec", but this did not happen.
> Other how-tos suggest putting this variable in the environment.
> Is this information current or obsolete? I tried and it didn't seem to
> matter...

<http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview>

Yes, this information is obsolete.  This is the main reason we
recommend not using various How-To guides that you'll find littered
around the Internet.

> Any other hint?

If a domain service account isn't an option, look at the other
options listed in the User's Guide:

<http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview>

Method 2 or 3 might be sufficient for your need.


-- 
Larry

_____________________________________________________________________

A: Yes.
 > Q: Are you sure?
 >> A: Because it reverses the logical flow of conversation.
 >>> Q: Why is top posting annoying in email?

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Sshd and key based authentication

[Andrea Venturoli]

On 11/18/13 10:17, Andrea Venturoli wrote:
> On 11/18/13 09:22, Andrey Repin wrote:
>
>> Did you installed Cygwin LSA module?
>> http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd2
>
> I don't think so, but I can't check right now...
>
> Should I?

Hello.

Today I followed your instruction, ran /usr/bin/cyglsa-config and 
rebooted: still no luck.

I raised the loglevel to DEBUG3 and verified sshd was *always* looking 
for /home/cyg_server/.ssh/authorized_keys, regardless of the user trying 
to log in.

So, if I do "ln -s /home/user /home/cyg_server", then ssh user@server 
works without password prompt!!!
Of course I know the security implications of this...

Any further hint appreciated.

  bye & Thanks
	av.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Sshd and key based authentication

[Andrey Repin]

Greetings, Andrea Venturoli!

>>> Did you installed Cygwin LSA module?
>>> http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd2
>>
>> I don't think so, but I can't check right now...
>>
>> Should I?

> Hello.

> Today I followed your instruction, ran /usr/bin/cyglsa-config and 
> rebooted: still no luck.

> I raised the loglevel to DEBUG3 and verified sshd was *always* looking 
> for /home/cyg_server/.ssh/authorized_keys, regardless of the user trying 
> to log in.

Erm, that strange.
Can we see a

egrep -iv "^(#|$)" /etc/ssh/sshd_config

?
Do Cygwin know about your domain users?
And what command you use to connect to the server?

> So, if I do "ln -s /home/user /home/cyg_server", then ssh user@server 
> works without password prompt!!!
> Of course I know the security implications of this...

That's indeed not the best idea...


--
WBR,
Andrey Repin (anrdaemon@yandex.ru) 21.11.2013, <01:43>

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Sshd and key based authentication

[Larry Hall (Cygwin)]

On 11/20/2013 12:37 PM, Andrea Venturoli wrote:
> On 11/18/13 10:17, Andrea Venturoli wrote:
>> On 11/18/13 09:22, Andrey Repin wrote:
>>
>>> Did you installed Cygwin LSA module?
>>> http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd2
>>
>> I don't think so, but I can't check right now...
>>
>> Should I?
>
> Hello.
>
> Today I followed your instruction, ran /usr/bin/cyglsa-config and rebooted:
> still no luck.
>
> I raised the loglevel to DEBUG3 and verified sshd was *always* looking for
> /home/cyg_server/.ssh/authorized_keys, regardless of the user trying to log in.
>
> So, if I do "ln -s /home/user /home/cyg_server", then ssh user@server works
> without password prompt!!!
> Of course I know the security implications of this...

Hm, thinking about this a little more, if you're still trying to log in
with domain users, your best bet is probably option 3 in the Users
Guide.  Since option 2 is using the Local Security Authority (LSA), it's
not going to get better at authenticating domain users than the default
mode unless the user you run the service as can authenticate domain
users.  So in this respect, it's the same thing as the default option
(the first option in the Users Guide).  Option 3 authenticates with the
password though so it should be much more like normal ssh password
authentication.  Give it a try and let us know if my thought experiment
works in the real world. :-)


-- 
Larry

_____________________________________________________________________

A: Yes.
 > Q: Are you sure?
 >> A: Because it reverses the logical flow of conversation.
 >>> Q: Why is top posting annoying in email?

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Sshd and key based authentication

[Andrea Venturoli]

On 11/20/13 22:47, Andrey Repin wrote:

>> I raised the loglevel to DEBUG3 and verified sshd was *always* looking
>> for /home/cyg_server/.ssh/authorized_keys, regardless of the user trying
>> to log in.
>
> Erm, that strange.
> Can we see a
>
> egrep -iv "^(#|$)" /etc/ssh/sshd_config
>
> ?

Hello.

I tracked this down to
 > AuthorizedKeysFile     ~/.ssh/authorized_keys
in /etc/sshd_config.

I don't remember if this came from the default or one of my tests which 
I forgot to remove.

Thanks for all the help
	av.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Sshd and key based authentication

[Larry Hall (Cygwin)]

On 11/26/2013 12:12 PM, Andrea Venturoli wrote:
> On 11/20/13 22:47, Andrey Repin wrote:
>
>>> I raised the loglevel to DEBUG3 and verified sshd was *always* looking
>>> for /home/cyg_server/.ssh/authorized_keys, regardless of the user trying
>>> to log in.
>>
>> Erm, that strange.
>> Can we see a
>>
>> egrep -iv "^(#|$)" /etc/ssh/sshd_config
>>
>> ?
>
> Hello.
>
> I tracked this down to
>  > AuthorizedKeysFile     ~/.ssh/authorized_keys
> in /etc/sshd_config.
>
> I don't remember if this came from the default or one of my tests which I
> forgot to remove.

The latter it seems.  The default is .ssh/authorized_keys.


-- 
Larry

_____________________________________________________________________

A: Yes.
 > Q: Are you sure?
 >> A: Because it reverses the logical flow of conversation.
 >>> Q: Why is top posting annoying in email?

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple