This is the mail archive of the cygwin mailing list for the Cygwin project.
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |
Other format: | [Raw text] |
On Jun 25 12:34, Achim Gratz wrote: > I've just managed to set up a working sshd on a Cygwin snapshot with LDAP > integration. The setup scripts required quite a few modifications to deal > properly with the way local accounts and groups are now named. I've had to > reinstate files for passwd to record an "sshd" there as otherwise the > service wouldn't start ("Privilege separation user sshd does not exist"). You read my preliminary doc, I hope? I attached it again, for completeness. But, here's what happens: If you're in a domain, and the sshd user account is local, the local sshd account will be prefixed with the local machine name, like this: MACHINE+sshd OpenSSH's sshd looks for an account called "sshd", so in the above scenario, it will fail to find sshd. There are three workarounds: - Switch off privilege separation in /etc/sshd_config. - Create an unprivileged "sshd" user in your primary domain. Since this account is unprefixed by default, sshd will find the user account and happily use it. - Build your own OpenSSH package with the following patch applied: http://lists.mindrot.org/pipermail/openssh-unix-dev/2014-May/032591.html It converts the static request for an account called "sshd" into a function call which checks for the "sshd" account by calling a Cygwin DLL function checking for the account by prepending the potential prefixes. This patch has been applied upstream, and a new version of OpenSSH will be available as soon as we go life with the AD integration stuff. > The remaining problem is that all users that will log in have their home > drives mounted from network shares. I was hoping to use /etc/fstab.d/user > files to mount these only when necessary, but apparently they are not yet > available when sshd tries to check the pubkey credentials and thus falls > back to password login (which I'd like to switch off completely). What's > the best option here? Kerberos Authentication looks appealing, but doesn't > seem to work with LDAP. I have not the faintest idea how to get Kerberos auth working with OpenSSH, sorry. The problem in case of using the AD stuff might be related to the username prefixing. Kerberos probably doesn't understand the prefix separator char (the '+' sign by default). > Putting the public keys elsewhere would also work, > but it isn't clear to me how to configure that. > > I've currently made a copy of the .ssh directory under /home/user that later > gets shadowed by the mount point. While that works to get pubkey logins > working, it is not very appealing as it requires a delicate dance with the > mounts done by the user at the first login. Any better ideas? Does it work better with the passwd -R method? https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd3 Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat
Attachment:
pwdgrp-doc
Description: Text document
Attachment:
pgptH04mQHfXm.pgp
Description: PGP signature
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |