Re: Sshd and key based authentication

public inbox for cygwin@cygwin.com
 help / color / mirror / Atom feed

From: "Larry Hall (Cygwin)" <reply-to-list-only-lh@cygwin.com>
To: cygwin@cygwin.com
Subject: Re: Sshd and key based authentication
Date: Wed, 20 Nov 2013 23:00:00 -0000	[thread overview]
Message-ID: <528D3F0F.4070405@cygwin.com> (raw)
In-Reply-To: <528CF357.3020000@netfence.it>

On 11/20/2013 12:37 PM, Andrea Venturoli wrote:
> On 11/18/13 10:17, Andrea Venturoli wrote:
>> On 11/18/13 09:22, Andrey Repin wrote:
>>
>>> Did you installed Cygwin LSA module?
>>> http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd2
>>
>> I don't think so, but I can't check right now...
>>
>> Should I?
>
> Hello.
>
> Today I followed your instruction, ran /usr/bin/cyglsa-config and rebooted:
> still no luck.
>
> I raised the loglevel to DEBUG3 and verified sshd was *always* looking for
> /home/cyg_server/.ssh/authorized_keys, regardless of the user trying to log in.
>
> So, if I do "ln -s /home/user /home/cyg_server", then ssh user@server works
> without password prompt!!!
> Of course I know the security implications of this...

Hm, thinking about this a little more, if you're still trying to log in
with domain users, your best bet is probably option 3 in the Users
Guide.  Since option 2 is using the Local Security Authority (LSA), it's
not going to get better at authenticating domain users than the default
mode unless the user you run the service as can authenticate domain
users.  So in this respect, it's the same thing as the default option
(the first option in the Users Guide).  Option 3 authenticates with the
password though so it should be much more like normal ssh password
authentication.  Give it a try and let us know if my thought experiment
works in the real world. :-)

-- 
Larry

_____________________________________________________________________

A: Yes.
 > Q: Are you sure?
 >> A: Because it reverses the logical flow of conversation.
 >>> Q: Why is top posting annoying in email?

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

next prev parent reply	other threads:[~2013-11-20 23:00 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-11-18  7:59 Andrea Venturoli
2013-11-18  8:35 ` Andrey Repin
2013-11-18  9:18   ` Andrea Venturoli
2013-11-20 17:37     ` Andrea Venturoli
2013-11-20 21:50       ` Andrey Repin
2013-11-26 17:12         ` Andrea Venturoli
2013-11-26 20:25           ` Larry Hall (Cygwin)
2013-11-20 23:00       ` Larry Hall (Cygwin) [this message]
2013-11-18 18:11 ` Larry Hall (Cygwin)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=528D3F0F.4070405@cygwin.com \
    --to=reply-to-list-only-lh@cygwin.com \
    --cc=cygwin@cygwin.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).