Re: can't access remote shares when using ssh with rsa key - passwd -R / set(e)uid / LogonUser is not working as expected

[Corinna Vinschen <corinna-cygwin at cygwin dot com>]

On Mar 14 10:41, Maayan Apelboim wrote:
> 
> When you login with stored password, Cygwin performs the same
> LogonUser call as if you login with password, so the same user token
> is generated.
> 
> Off the top of my head I don't know why it shouldn't work for you.
> You sure you have the correct password stored?  When you login and
> call `id', what does it print?  Does it contain the "interactive"
> group or the "network" group?  If the latter, then the internal
> LogonUser call performed with stored password failed for some reason.
> 
> 
> Corinna
> 
> --
> Corinna Vinschen
> Cygwin Maintainer
> 
> ---------------------------------------------------------------------------------------
> 
> Yes, I'm sure I used the correct password, I use it all the time and I
> also tried running passwd -R multiple times in case I entered it
> wrongly.  I'm not sure what are "interactive" & "network" groups - do
> you mean literally groups called network & interactive?  Either way -

Yes.

> I'm always getting a group named "interactive" among other groups -
> either with password ssh or with RSA - never "network" I do have some
> different groups when running id - comparing password ssh and RSA ssh.

If password auth or `passwd -R' auth is used you'll have the
"4(INTERACTIVE)" group in your `id' output.  If S4ULogon is used you'll
have the "2(NETWORK)" group in your `id' output.  This is one way to
identify which logon method has been used.

> Also, when I run mkpasswd -d when I log in with password, it generates
> users from the domain, comparing RSA ssh that generates only a few
> entries unrelated to my domain..

You don't need mkpasswd anymore.  Use `getent passwd' instead.

But... given you're using mkpasswd at all, I wonder if you still
have /etc/passwd and/or /etc/group files.  If so, move them out
of the way and restart your CYgwin processes.  They are not required
and may even result in problems if they have been tweaked.

If you still have these files, removing them is the first thing to
try.

> I think the same as you (also mentioned in the email title :) ) that
> the LogonUser call doesn't work as expected. Is there a way to verify
> it? Any logs I can check?  Would it help if I'll send the different
> groups I'm getting?

Other groups than NETWORK or INTERACTIVE don't matter, as explained
above.  The only reasons I can think of that LogonUser doesn't work is
that your username, domainname, or password are incorrect, or your
account is disabled.  I never saw the call fail for any other reason.

For debugging, you would have to call the sshd service under strace.
That would give a hint.  For that you should change the sshd service
call in the registry so that `/usr/sbin/sshd -D' is replaced with
`/usr/bin/strace -o /tmp/sshd.trace /usr/sbin/sshd -d'.  Note the
lowercase -d, which runs sshd in debug mode.  After the first logon,
sshd will terminate itself automatically.  Afterwards you should send
the /tmp/sshd.trace file here for inspection.  You can obfuscate
sensitive info, but the gist of the file should stay intact.


Corinna

-- 
Corinna Vinschen
Cygwin Maintainer

Attachment: signature.asc
Description: PGP signature