This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: LDAP integration and sshd


On Jun 25 12:34, Achim Gratz wrote:
> I've just managed to set up a working sshd on a Cygwin snapshot with LDAP
> integration.  The setup scripts required quite a few modifications to deal
> properly with the way local accounts and groups are now named.  I've had to
> reinstate files for passwd to record an "sshd" there as otherwise the
> service wouldn't start ("Privilege separation user sshd does not exist").

You read my preliminary doc, I hope?  I attached it again, for
completeness.  But, here's what happens:

If you're in a domain, and the sshd user account is local, the local
sshd account will be prefixed with the local machine name, like this:

  MACHINE+sshd

OpenSSH's sshd looks for an account called "sshd", so in the above
scenario, it will fail to find sshd.  There are three workarounds:

- Switch off privilege separation in /etc/sshd_config.

- Create an unprivileged "sshd" user in your primary domain.  Since
  this account is unprefixed by default, sshd will find the user
  account and happily use it.

- Build your own OpenSSH package with the following patch applied:

  http://lists.mindrot.org/pipermail/openssh-unix-dev/2014-May/032591.html

  It converts the static request for an account called "sshd" into
  a function call which checks for the "sshd" account by calling
  a Cygwin DLL function checking for the account by prepending the
  potential prefixes.  This patch has been applied upstream, and
  a new version of OpenSSH will be available as soon as we go life
  with the AD integration stuff.

> The remaining problem is that all users that will log in have their home
> drives mounted from network shares.  I was hoping to use /etc/fstab.d/user
> files to mount these only when necessary, but apparently they are not yet
> available when sshd tries to check the pubkey credentials and thus falls
> back to password login (which I'd like to switch off completely).  What's
> the best option here?  Kerberos Authentication looks appealing, but doesn't
> seem to work with LDAP.

I have not the faintest idea how to get Kerberos auth working with
OpenSSH, sorry.  The problem in case of using the AD stuff might be
related to the username prefixing.  Kerberos probably doesn't understand
the prefix separator char (the '+' sign by default).

> Putting the public keys elsewhere would also work,
> but it isn't clear to me how to configure that.
> 
> I've currently made a copy of the .ssh directory under /home/user that later
> gets shadowed by the mount point.  While that works to get pubkey logins
> working, it is not very appealing as it requires a delicate dance with the
> mounts done by the user at the first login.  Any better ideas?

Does it work better with the passwd -R method?

  https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd3


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

Attachment: pwdgrp-doc
Description: Text document

Attachment: pgptH04mQHfXm.pgp
Description: PGP signature


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]