From: Andrey Repin <anrdaemon@yandex.ru>
To: All <cygwin@cygwin.com>
Subject: SSHD with key-based auth and non-cygwin user's home.
Date: Fri, 30 Mar 2018 11:21:00 -0000 [thread overview]
Message-ID: <724806361.20180330050105@yandex.ru> (raw)
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=windows-1251, Size: 2297 bytes --]
Greetings, All!
Though, I'd share in the light of recent SSH questions.
I wasn't using Cygwin SSHD all that much up until recently, when I had to do
some long work over a very slow connection, that wasn't capable of sustaining
an RDP session.
I had to use an existing SSHD server somebody conveniently installed a long
time ago, and integrated with the domain infrastructure.
Surprisingly, the server was in good shape and no hacks were involved in its
setup, but… but the domain setup itself was a problem. Users' home directories
are located on a network share, and setting "correct" permissions on the
~/.ssh was not quite an option.
Understandably, the only remaining option was to connect with password and let
SSH establish correct network session. However, I quickly got tired of typing
the password over and over again.
The solution came in the form of AuthorizedKeysFile SSHD setting.
The solution itself, step by step:
1. Create a directory in the /etc/ (I prefer /etc/ssh/pubkeys/ )
2. Set permissions to an equivalent of root:users 0750 (or root:root 0755)
3. In this directory, create files with names matching user logins.
4. Adjust ownership of the files to allow users to modify them.
5. Adjust your sshd_conf file to include this setting:
AuthorizedKeysFile /etc/ssh/pubkeys/%u %h/.ssh/authorized_keys
6. For users' convenience, create symlinks from ~/.ssh/authorized_keys
pointing to the detached keys.
This setup can be used in any environment, where it is not feasible or even
possible to satisfy SSH' rather arbitrary requirements of the "security" of
the authorized_keys file within user's home directory.
On *NIX it is literally enough to set "pubkeys" directory to root:users 0750
to secure the files in place. Users will be unable to rename or delete files,
only change their contents.
On Windows, you have to be more careful with permissions inheritance, but
nothing that can't be done.
--
With best regards,
Andrey Repin
Friday, March 30, 2018 03:29:44
Sorry for my terrible english...\x03B‹KCB”\x1c›Ø›\x19[H\x1c™\^[Ü\x1cΈ\b\b\b\b\b\b\x1a\x1d\x1d\x1c\x0e‹ËØÞYÝÚ[‹˜ÛÛKÜ\x1c›Ø›\x19[\Ëš\x1d^[[\x03B‘TNˆ\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\x1a\x1d\x1d\x1c\x0e‹ËØÞYÝÚ[‹˜ÛÛKÙ˜\KÃB‘^[ØÝ[Y[\x18]\x1a[ÛŽˆ\b\b\b\b\b\b\b\b\x1a\x1d\x1d\x1c\x0e‹ËØÞYÝÚ[‹˜ÛÛKÙ^[ØÜËš\x1d^[[\x03B•[œÝXœØÜšX™H\x1a[™›Îˆ\b\b\b\b\b\x1a\x1d\x1d\x1c\x0e‹ËØÞYÝÚ[‹˜ÛÛKÛ[\vÈÝ[œÝXœØÜšX™K\Ú[\^[\x19CBƒB
reply other threads:[~2018-03-30 2:05 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=724806361.20180330050105@yandex.ru \
--to=anrdaemon@yandex.ru \
--cc=cygwin@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).