This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: LDAP integration and sshd


Corinna Vinschen writes:
> You read my preliminary doc, I hope?  I attached it again, for
> completeness.  But, here's what happens:

I guess I read it at one time, but not specifically today. :-)

> If you're in a domain, and the sshd user account is local, the local
> sshd account will be prefixed with the local machine name, like this:
>
>   MACHINE+sshd
>
> OpenSSH's sshd looks for an account called "sshd", so in the above
> scenario, it will fail to find sshd.  There are three workarounds:

The fourth:

mkpasswd -l | awk '/sshd:/{gsub("^[^+]*\\+", "");print;}' >> /etc/passwd

> - Switch off privilege separation in /etc/sshd_config.

Not going to do that if I can help it.

> - Create an unprivileged "sshd" user in your primary domain.  Since
>   this account is unprefixed by default, sshd will find the user
>   account and happily use it.

That might actually be the best idea since the account doesn't need any
privileges at all. I'll have to ask our domain admins.

> - Build your own OpenSSH package with the following patch applied:

With the workarounds available, I'm not trying.

> I have not the faintest idea how to get Kerberos auth working with
> OpenSSH, sorry.  The problem in case of using the AD stuff might be
> related to the username prefixing.  Kerberos probably doesn't understand
> the prefix separator char (the '+' sign by default).

At the moment the problem seems to be that some part of the necessary
config is missing.  I'm getting into the right realm, but then things
fall apart.

>> Putting the public keys elsewhere would also work,
>> but it isn't clear to me how to configure that.

N.B.: This can be done in /etc/sshd_config with an absolute path and
judicious use of the %u token.  Doesn't help though, since after logging
in via public key the user doesn't have an LDAP ticket and is thus
unable to have the home share mounted.  This appeared to work during the
initial test since the server still had a ticket cached from a previous
RDP session.

> Does it work better with the passwd -R method?
>
>   https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd3

I didn't get it to work yet.  I suppose that I need to somehow pass
"CYGWIN=ntsec" environment via cygrunserv?  My initial config had CYGWIN
empty, which probably means I'll have to re-install the service.  BTW,
I#ve managed to gothrough some SID until I've had a working config, is
there any way to reset this counter when deleting a user?

Do I read this correctly that the password itself gets stored and not an
NTLM(v2) hash?


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

Wavetables for the Waldorf Blofeld:
http://Synth.Stromeko.net/Downloads.html#BlofeldUserWavetables

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]