This is the mail archive of the
mailing list for the Cygwin project.
Re: Cygwin ssh and Windows authentication
- From: Andrey Repin <anrdaemon at yandex dot ru>
- To: Jarek <yaro_29 at hotmail dot com>, cygwin at cygwin dot com
- Date: Thu, 23 Jul 2015 00:46:27 +0300
- Subject: Re: Cygwin ssh and Windows authentication
- Authentication-results: sourceware.org; auth=none
- References: <BLU436-SMTP39AE7DD48809E802CE4DAE9E860 at phx dot gbl> <1301881165 dot 20150720013859 at yandex dot ru> <BLU436-SMTP217DCBDBFA0EED5BC1ACFFB9E850 at phx dot gbl> <1399485278 dot 20150721032532 at yandex dot ru> <BLU436-SMTP238C37DE9A243EA7E7F794F9E840 at phx dot gbl> <981419184 dot 20150721233655 at yandex dot ru> <BLU436-SMTP147434267174B49E8813BD49E830 at phx dot gbl>
- Reply-to: cygwin at cygwin dot com
>>>>> So why are they not needed as your comment doesn't really explain that
>>>> Read 1.7.35 changelog.
>>>> In short, username resolution was completely reworked, thanks to Corinna, and
>>>> Cygwin now directly address domain controllers for it.
>>> OK so it addresses DCs to check some settings or priviliges. I don't
>>> suppose it just asks 'hey DS, can contoso\johnd access sshd on server1?'
>> Indirectly, that can be done, i.e., by including a user in "SSH" group and
>> allow only "DOMAIN+SSH" group to authorize on server.
> I assume the group name is arbitrary and can be named anything.
Of course. I have a generic "RemoteUsers" group for all users that allowed
remote access (VPN, SSH, etc.)
> I went thrugh local rights on my sshserver and I see the Everyone, and
> Users local groups have Allow to access this computer via network.
> I take it the 'Act as part of the OS','Create a token object' and
> 'Replace a process level token' rights are only for the account running
> the sshd service.
Yes, these are only used by service itself, and not propagated to the users
>> Verbose logging from both client and server may give some insight, too.
> Here is what I get from the logs on the client when attempting to
> connect with WinSCP
Try using only username to login. Without domain prefix.
And disable other auth mechanics, while you are testing namely I see it trying
GSSAPI, which wouldn't work unless explicitly configured and allowed.
Please attach long listings as files or provide links to pastebin service of
With best regards,
Thursday, July 23, 2015 00:42:20
Sorry for my terrible english...
Problem reports: http://cygwin.com/problems.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple