This is the mail archive of the
mailing list for the Cygwin project.
Re: Cygwin ssh and Windows authentication
- From: Andrey Repin <anrdaemon at yandex dot ru>
- To: Jarek <yaro_29 at hotmail dot com>, cygwin at cygwin dot com
- Date: Tue, 21 Jul 2015 23:36:55 +0300
- Subject: Re: Cygwin ssh and Windows authentication
- Authentication-results: sourceware.org; auth=none
- References: <BLU436-SMTP39AE7DD48809E802CE4DAE9E860 at phx dot gbl> <1301881165 dot 20150720013859 at yandex dot ru> <BLU436-SMTP217DCBDBFA0EED5BC1ACFFB9E850 at phx dot gbl> <1399485278 dot 20150721032532 at yandex dot ru> <BLU436-SMTP238C37DE9A243EA7E7F794F9E840 at phx dot gbl>
- Reply-to: cygwin at cygwin dot com
>>> So why are they not needed as your comment doesn't really explain that
>> Read 1.7.35 changelog.
>> In short, username resolution was completely reworked, thanks to Corinna, and
>> Cygwin now directly address domain controllers for it.
> OK so it addresses DCs to check some settings or priviliges. I don't
> suppose it just asks 'hey DS, can contoso\johnd access sshd on server1?'
Indirectly, that can be done, i.e., by including a user in "SSH" group and
allow only "DOMAIN+SSH" group to authorize on server.
> to which the DC is like 'dude, what the heck is sshd?' :)
This is not that simple. The actual authentication is done by SSH itself in
this case. Same as on *NIX. For THIS (or, more precisely, to craft auth token
which IS THE "user" in terms of OS access control) it needs certain privileges.
The details are in documentation I linked earlier, the next question about
using public keys with SSH.
> I now have the cygwin service running in domain context so now I would
> somehow need to let the DC know whe is allowed to ssh to my server1.
By default, everyone will be allowed, and they will have only what rights they
have, as the actual access control is done by OS itself, once the user is
> My domain account, although in local admins on the server is now failing
> authentication when trying to ssh. Which gets us back to the question what
> do I need for a DC to authenticate me?
Nothing more than what is stated in the FAQ entry.
I suggest starting from a new Cygwin install (stop and remove installed Cygwin
services and rename your existing installation out of the way) and recheck the
Verbose logging from both client and server may give some insight, too.
>>> and how exactly did I screwed up my setup if I can actually access the
>>> server with a domain user account no problem?
>> On that, I'm surprized.
> Maybe a bug then?
Depends, what exactly was the state. But I'm not concerned.
There's very few narrow use cases left for having passwd/group files around
that it is better to just get rid of them.
>> /etc/passwd/group has nothing to do with "access control".
>> The files were only used to convert Windows to Cygwin names (and supply other
>> Cygwin-specific information), on the presumption that there will never be too
>> much of it. This is now done on the fly, allowing to deploy Cygwin in large
With best regards,
Tuesday, July 21, 2015 23:27:07
Sorry for my terrible english...
Problem reports: http://cygwin.com/problems.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple