This is the mail archive of the
mailing list for the Cygwin project.
Re: cannot access $HOME (on Samba) via ssh
- From: Igor Pechtchanski <pechtcha at cs dot nyu dot edu>
- To: Harald Dunkel <harald dot dunkel at t-online dot de>
- Cc: cygwin at cygwin dot com
- Date: Tue, 11 Jan 2005 15:25:46 -0500 (EST)
- Subject: Re: cannot access $HOME (on Samba) via ssh
- References: <41E42508.email@example.com>
- Reply-to: cygwin at cygwin dot com
On Tue, 11 Jan 2005, Harald Dunkel wrote:
> Igor Pechtchanski wrote:
> | <http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-switch>, second
> | paragraph.
> | HTH,
> | Igor
> Sorry, but this does not help.
> If I got this right, then you assume that either sshd or the login
> process started by sshd are running as SYSTEM, and the bash started
> later inherits the restricted network access somehow, making an
> access to shares which require an authentication impossible.
Yes, I'm assuming both of those things. If sshd runs as any user but
SYSTEM (unless that user also has SYSTEM's capabilities as described in
the above link, in which case it might as well be SYSTEM), then no other
user will be able to log in using that sshd instance. And yes, bash
started from sshd does inherit the authentication token, which is used to
attempt to authenticate with network shares.
I believe you missed the fact that the above link talks about
*passwordless* authentication. The authentication token constructed by
sshd won't contain the password, and therefore cannot be used to access
network shares that require authentication. This is a Windows limitation,
and Cygwin can't do anything about it.
> Please note that ssh and rsh are typical applications of users used
> to work on remote machines in a LAN. If you take away the network
> access to their home directory and all other shares, then this is a
> very severe restriction. And making a network share accessible
> without any authentication is usually not an option, either.
> Not a good deal.
Authenticating using the user's password will not restrict the access.
An alternative is to change the authentication mechanism for the shares.
FWIW, the same problem exists with Unix filesystems that require
authentication, notably DFS.
|\ _,,,---,,_ firstname.lastname@example.org
ZZZzz /,`.-'`' -. ;-;;,_ email@example.com
|,4- ) )-,_. ,\ ( `'-' Igor Pechtchanski, Ph.D.
'---''(_/--' `-'\_) fL a.k.a JaguaR-R-R-r-r-r-.-.-. Meow!
"The Sun will pass between the Earth and the Moon tonight for a total
Lunar eclipse..." -- WCBS Radio Newsbrief, Oct 27 2004, 12:01 pm EDT
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html