This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: Sshd and key based authentication
- From: Andrey Repin <anrdaemon at yandex dot ru>
- To: Andrea Venturoli <ml at netfence dot it>, cygwin at cygwin dot com
- Date: Mon, 18 Nov 2013 12:22:33 +0400
- Subject: Re: Sshd and key based authentication
- Authentication-results: sourceware.org; auth=none
- References: <5289C8BD dot 1010109 at netfence dot it>
- Reply-to: Andrey Repin <cygwin at cygwin dot com>
Greetings, Andrea Venturoli!
> I'm trying to set up sshd on a Windows 2003 domain controller.
> Everything works with password authentication; however I need this for a
> script, so, in order to get non-interactive login, I must use keys.
> Tried as hard as I could, but I could not achieve this: I'm always asked
> for a password.
> I read several posts which say I need to use local accounts, not domain
> accounts; however, the machine being a DC, I don't have Local security
> policy or Local users in Control panel or Administrative tool.
> So, this is the fragment from my /etc/passwd:
>> sshd:unused:2259:513:sshd privsep,U-MYDOMAIN\sshd,S-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX:/var/empty:/bin/false
>> cyg_server:unused:2265:513:cyg_server,U-MYDOMAIN\cyg_server,S-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXXX-XXXX:/home/cyg_server:/bin/bash
> "ssh -vvv" suggest the key is presented to the server, but key
> authentication does not succeed anyway. Nothing special is logged
> server-side and ssh moves on to password authentiation.
> On with the questions...
> Is this supposed to work? Several posts say so, but no one mentions a
> domain controller... Does it bring in anything special?
Not that I know of.
> Are the above users correct? Any problem with it?
They are irrelevant.
Both only used to start up the service.
> What are correct ownership and permissions of /home, /home/myuser,
> /home/myuser/.ssh and /home/myuser/.ssh/authorized_keys?
sshd only check permissions on $HOME/.ssh and authorized_keys (as far as I'm
aware) - they need to be (as a safest bet) owned by user logging in and don't
have write permission by anyone except the owner (and SYSTEM).
> According to some how-tos, ssh-host-confing should have prompted with
> "CYGWIN=" and I should have replied "tty ntsec",
Long time gone.
http://cygwin.com/cygwin-ug-net/using-cygwinenv.html#cygwinenv-removed-options
> but this did not
> happen. Other how-tos suggest putting this variable in the environment.
> Is this information current or obsolete? I tried and it didn't seem to
> matter...
> Any other hint?
Did you installed Cygwin LSA module?
http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd2
--
WBR,
Andrey Repin (anrdaemon@yandex.ru) 18.11.2013, <12:13>
Sorry for my terrible english...
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple