From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 92370 invoked by alias); 21 Jul 2015 20:50:13 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 91780 invoked by uid 89); 21 Jul 2015 20:50:12 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=4.6 required=5.0 tests=AWL,BAYES_50,FREEMAIL_FROM,KAM_THEBAT,SPF_SOFTFAIL autolearn=no version=3.3.2 X-HELO: smtp.ht-systems.ru Received: from smtp.ht-systems.ru (HELO smtp.ht-systems.ru) (78.110.50.177) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with (AES256-GCM-SHA384 encrypted) ESMTPS; Tue, 21 Jul 2015 20:50:10 +0000 Received: from [95.165.144.62] (helo=darkdragon.lan) by smtp.ht-systems.ru with esmtpa (Exim 4.80.1) (envelope-from ) (Authenticated sender: postmaster@rootdir.org) id 1ZHeUG-0008TQ-5h ; Tue, 21 Jul 2015 23:50:04 +0300 Received: from [192.168.1.10] (HELO daemon2.darkdragon.lan) by daemon2 (Office Mail Server 0.8.12 build 08053101) with SMTP; Tue, 21 Jul 2015 20:36:55 -0000 Date: Tue, 21 Jul 2015 20:50:00 -0000 From: Andrey Repin Reply-To: cygwin@cygwin.com Message-ID: <981419184.20150721233655@yandex.ru> To: Jarek , cygwin@cygwin.com Subject: Re: Cygwin ssh and Windows authentication In-Reply-To: References: <1301881165.20150720013859@yandex.ru> <1399485278.20150721032532@yandex.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-IsSubscribed: yes X-SW-Source: 2015-07/txt/msg00334.txt.bz2 Greetings, Jarek! >>> So why are they not needed as your comment doesn't really explain that >> Read 1.7.35 changelog. >> In short, username resolution was completely reworked, thanks to Corinna, and >> Cygwin now directly address domain controllers for it. > OK so it addresses DCs to check some settings or priviliges. I don't > suppose it just asks 'hey DS, can contoso\johnd access sshd on server1?' Indirectly, that can be done, i.e., by including a user in "SSH" group and allow only "DOMAIN+SSH" group to authorize on server. > to which the DC is like 'dude, what the heck is sshd?' :) This is not that simple. The actual authentication is done by SSH itself in this case. Same as on *NIX. For THIS (or, more precisely, to craft auth token which IS THE "user" in terms of OS access control) it needs certain privileges. The details are in documentation I linked earlier, the next question about using public keys with SSH. > I now have the cygwin service running in domain context so now I would > somehow need to let the DC know whe is allowed to ssh to my server1. By default, everyone will be allowed, and they will have only what rights they have, as the actual access control is done by OS itself, once the user is authenticated. > My domain account, although in local admins on the server is now failing > authentication when trying to ssh. Which gets us back to the question what > do I need for a DC to authenticate me? Nothing more than what is stated in the FAQ entry. I suggest starting from a new Cygwin install (stop and remove installed Cygwin services and rename your existing installation out of the way) and recheck the results. Verbose logging from both client and server may give some insight, too. >>> and how exactly did I screwed up my setup if I can actually access the >>> server with a domain user account no problem? >> On that, I'm surprized. > Maybe a bug then? Depends, what exactly was the state. But I'm not concerned. There's very few narrow use cases left for having passwd/group files around that it is better to just get rid of them. Because: >> /etc/passwd/group has nothing to do with "access control". >> The files were only used to convert Windows to Cygwin names (and supply other >> Cygwin-specific information), on the presumption that there will never be too >> much of it. This is now done on the fly, allowing to deploy Cygwin in large >> domains. -- With best regards, Andrey Repin Tuesday, July 21, 2015 23:27:07 Sorry for my terrible english... -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple