SSH Keys breaking symlink access?

SSH Keys breaking symlink access?

[Dave.Pierce]

Hello!

I am running Cygwin-64, 2.8.0(0.309/5/3) on a Windows 2016 Server. This sys= tem is intended for use by a fairly wide audience of devs. We have this wor= king correctly on an old Windows 2008 box running Cygwin 1.7.9(0.237/5/3). = The new system is intended to replace the old one. I've mimicked the config= uration as much possible on the new system, but am running into an issue wi= th passwordless (key-auth) ssh.

I have created a windows symlink ("mklink /d /sharename [unc_path]") in the=
 c:\cygwin64 directory that points to an NFS share. (This is the same as th= e old system.)

I have OpenSSH configured and working.

I can access "/sharename" within explorer (c:\cygwin64\sharename\) and loca= lly from within the Cygwin prompt (/sharename), when logged in as either th= e service account or my own domain account.

If I ssh into the system using password authentication, I am able to "ls /s= harename" regardless of which account I use, in either interactive mode or = not.

If I copy ~/.ssh/ to the server for the service account, I can get into /sh= arename.

But if I copy ~/.ssh/ for my own domain account, I cannot. I get a "permiss= ion denied" error when attempting to cd to /sharename or do an ls of it. Th= is is true whether I ssh into the system interactively, or execute the comm= and remotely / non-interactively.

On the old system, "ls -la /" shows the link owned by the service account u= ser. On the new system, it was initially owned by "Administrators" but I ch= anged it to match. This did not change behavior. I've diffed the other Cygw= in config files and except for a couple minor tweaks due to the newer Cygwi= n version, there are no differences.

/var/log/sshd.log shows nothing.

Any help or troubleshooting tips would be appreciated. I'm not so hot as a = Windows admin - without dmesg or a syslog, I'm kind of at a loss. I don't really understand why ssh key auth would interfere with file system or network access in this way.

Regards,
Dave P.


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SSH Keys breaking symlink access?

[Erik Soderquist]

On Fri, May 19, 2017 at 3:26 PM,  Dave Pierce wrote:
> Hello!
>
> I am running Cygwin-64, 2.8.0(0.309/5/3) on a Windows 2016 Server. This
> system is intended for use by a fairly wide audience of devs. We have this
> working correctly on an old Windows 2008 box running Cygwin
> 1.7.9(0.237/5/3).
> The new system is intended to replace the old one. I've mimicked the
> configuration as much possible on the new system, but am running
> into an issue with passwordless (key-auth) ssh.

Did you set up the daemon and use "passwd -R"?

> I have created a windows symlink ("mklink /d /sharename [unc_path]") in
> the c:\cygwin64 directory that points to an NFS share. (This is the same
> as the old system.)
>
> I have OpenSSH configured and working.
>
> I can access "/sharename" within explorer (c:\cygwin64\sharename\)
> and locally from within the Cygwin prompt (/sharename), when
> logged in as either the service account or my own domain account.
>
> If I ssh into the system using password authentication, I am able to
> "ls /sharename" regardless of which account I use, in either
> interactive mode or not.
>
> If I copy ~/.ssh/ to the server for the service account, I can get into
> /sharename.
>
> But if I copy ~/.ssh/ for my own domain account, I cannot. I get a
> "permission denied" error when attempting to cd to /sharename or
> do an ls of it. Th= is is true whether I ssh into the system
> interactively, or execute the command remotely / non-interactively.

This is expected behavior if you have not used "password -R" to
provide the network password.

-- Erik

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SSH Keys breaking symlink access?

[Erik Soderquist]

On Fri, May 19, 2017 at 5:30 PM, Erik Soderquist wrote:
> This is expected behavior if you have not used "password -R" to
> provide the network password.


from the doc (https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview):
So what we do is to utilize this registry area for the purpose of
set(e)uid. The Cygwin command passwd -R allows a user to specify
his/her password for storage in this registry area. When this user
tries to login using ssh with public key authentication, Cygwin's
set(e)uid examines the LSA private registry area and searches for a
Cygwin specific key which contains the password. If it finds it, it
calls LogonUser under the hood, using this password. If that works,
LogonUser returns an access token with all credentials necessary for
network access.


-- Erik

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple