CYGWIN - As admin setup other users SSH for them?

CYGWIN - As admin setup other users SSH for them?

[Roger Vicker, CCP]

I've got a Windows system setup with SSH in CYGWIN working.

I've used mkpaswd to install the users in /etc/passwd.

As administrator I want to:
1) generate the key pairs for the other users.
2) install the public key in the users $home/.ssh/authorized_keys.
3) deliver the private key to the user along with the rest of the
instructions on how to use it in the provided apps.

With out their passwords I can't login to establish their $home
directory structure, run ssh-keygen, copy the key files.

Thanks.


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: CYGWIN - As admin setup other users SSH for them?

[Warren Young]

On 6/4/2014 16:05, Roger Vicker, CCP wrote:
> 3) deliver the private key to the user along with the rest of the
> instructions on how to use it in the provided apps.

How were you planning on delivering these sensitive private keys?  Via 
insecure email, perhaps?

Use ssh as it was designed: have the users generate their own local 
keypairs, and have them email the public key to you.  The words we use 
here mean something.  The *public* key goes out over the public link, 
and the *private* key stays at home.

It's not like the commands are difficult.  They set up a local Cygwin, 
add the openssh package, then say:

     $ ssh-keygen
     ...press Enter a bunch of times...
     $ cat ~/.ssh/id_rsa.pub > /dev/clipboard
     ...compose email to rvicker, paste

> With out their passwords I can't login to establish their $home
> directory structure,

Take a look at /etc/profile, starting at line 75.  See the stuff about 
/etc/skel?  That's how the user's home directory gets set up.  Nothing 
magic here.  You could cut those couple-dozen lines into a new script 
and tweak it for your purposes.

The only trick is that if you do all this as administrator, you'll have 
to say something like

     # chown -R otheruser.otheruser ~otheruser

after you get done setting up the user's home directory.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: CYGWIN - As admin setup other users SSH for them?

[Roger Vicker, CCP]

On 6/5/2014 2:46 AM, Warren Young arranged the binary bits such that:

> On 6/4/2014 16:05, Roger Vicker, CCP wrote:
>> 3) deliver the private key to the user along with the rest of the
>> instructions on how to use it in the provided apps.
> How were you planning on delivering these sensitive private keys?  Via
> insecure email, perhaps?

These particular users are barely computer literate so I would be
copying the private keys directly to their Android devices and setting
up the apps that need to use SSH as a tunnel to connect to their server
side apps.

> Use ssh as it was designed: have the users generate their own local
> keypairs, and have them email the public key to you.  The words we use
> here mean something.  The *public* key goes out over the public link,
> and the *private* key stays at home.
>
I know security. That is why we are implementing SSH with keys to
further secure a remote protocol. VPN is not as practical given the
level of the users, the specific remote devices and app.

> It's not like the commands are difficult.  They set up a local Cygwin,
> add the openssh package, then say:
>
>     $ ssh-keygen
>     ...press Enter a bunch of times...
>     $ cat ~/.ssh/id_rsa.pub > /dev/clipboard
>     ...compose email to rvicker, paste
>
>> With out their passwords I can't login to establish their $home
>> directory structure,
> Take a look at /etc/profile, starting at line 75.  See the stuff about
> /etc/skel?  That's how the user's home directory gets set up.  Nothing
> magic here.  You could cut those couple-dozen lines into a new script
> and tweak it for your purposes.
>
> The only trick is that if you do all this as administrator, you'll
> have to say something like
>
>     # chown -R otheruser.otheruser ~otheruser
>
> after you get done setting up the user's home directory.
>


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: CYGWIN - As admin setup other users SSH for them?

[Warren Young]

On 6/10/2014 14:56, Roger Vicker, CCP wrote:
> These particular users are barely computer literate so I would be
> copying the private keys directly to their Android devices

In that case, why not just replicate the effect of "ssh-copy-id" from 
each Android device before it leaves your hands?

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: CYGWIN - As admin setup other users SSH for them?

[Roger Vicker, CCP]

On 6/10/2014 4:36 PM, Warren Young arranged the binary bits such that:
> On 6/10/2014 14:56, Roger Vicker, CCP wrote:
>> These particular users are barely computer literate so I would be
>> copying the private keys directly to their Android devices
>
> In that case, why not just replicate the effect of "ssh-copy-id" from
> each Android device before it leaves your hands?
>
1) The point of using keys is to eliminate password login (there are
other layers involved elsewhere).
2) Even if I "temporarily" enabled password login I would need the
user's password to this network.
3) The usual "after necessary sharing a password" changing of it upsets
the user as the periodic change is always "too frequent".


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: CYGWIN - As admin setup other users SSH for them?

[Warren Young]

On 6/10/2014 21:04, Roger Vicker, CCP wrote:
>
>> In that case, why not just replicate the effect of "ssh-copy-id"
>>
> 1) The point of using keys is to eliminate password login (there are
> other layers involved elsewhere).
> 2) Even if I "temporarily" enabled password login I would need the
> user's password to this network.
> 3) The usual "after necessary sharing a password" changing of it upsets
> the user as the periodic change is always "too frequent".

So make the Android client generate a key pair on first launch, then 
until it successfully uses the key to log in, ask for the user's 
password and use that instead.  Thereafter, use the key exclusively.

Windows doesn't readily offer a "su" or "sudo" like mechanism.  There 
are ways[1] to arm-twist Windows into offering something like it, but 
it's a lot of work to go through to achieve your preconceived solution 
to the problem.


[1] https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd1

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple