This is the mail archive of the
mailing list for the Cygwin project.
Re: Cygwin ssh and Windows authentication
- From: Jarek <yaro_29 at hotmail dot com>
- To: cygwin at cygwin dot com
- Date: Sun, 2 Aug 2015 14:47:50 +0200
- Subject: Re: Cygwin ssh and Windows authentication
- Authentication-results: sourceware.org; auth=none
- References: <BLU436-SMTP39AE7DD48809E802CE4DAE9E860 at phx dot gbl> <1301881165 dot 20150720013859 at yandex dot ru> <BLU436-SMTP217DCBDBFA0EED5BC1ACFFB9E850 at phx dot gbl> <1399485278 dot 20150721032532 at yandex dot ru> <BLU436-SMTP238C37DE9A243EA7E7F794F9E840 at phx dot gbl> <981419184 dot 20150721233655 at yandex dot ru> <BLU436-SMTP147434267174B49E8813BD49E830 at phx dot gbl> <341710545 dot 20150723004627 at yandex dot ru>
On 2015-07-22 23:46, Andrey Repin wrote:
So why are they not needed as your comment doesn't really explain that
Read 1.7.35 changelog.
In short, username resolution was completely reworked, thanks to Corinna, and
Cygwin now directly address domain controllers for it.
OK so it addresses DCs to check some settings or priviliges. I don't
suppose it just asks 'hey DS, can contoso\johnd access sshd on server1?'
Indirectly, that can be done, i.e., by including a user in "SSH" group and
allow only "DOMAIN+SSH" group to authorize on server.
I assume the group name is arbitrary and can be named anything.
Of course. I have a generic "RemoteUsers" group for all users that allowed
remote access (VPN, SSH, etc.)
I went thrugh local rights on my sshserver and I see the Everyone, and
Users local groups have Allow to access this computer via network.
I take it the 'Act as part of the OS','Create a token object' and
'Replace a process level token' rights are only for the account running
the sshd service.
Yes, these are only used by service itself, and not propagated to the users
Verbose logging from both client and server may give some insight, too.
Here is what I get from the logs on the client when attempting to
connect with WinSCP
Try using only username to login. Without domain prefix.
And disable other auth mechanics, while you are testing namely I see it trying
GSSAPI, which wouldn't work unless explicitly configured and allowed.
Please attach long listings as files or provide links to pastebin service of
Just for an update I deployed ssh access using the passwd file. I found
it works fine as long as the user connecting is a member of local
admins. Otherwise users are not able to connect. Looks like this may be
a bug after all.
Problem reports: http://cygwin.com/problems.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple