Cygwin ssh and Windows authentication
Andrey Repin
anrdaemon@yandex.ru
Wed Jul 22 21:50:00 GMT 2015
Greetings, Jarek!
>>>>> So why are they not needed as your comment doesn't really explain that
>>>> Read 1.7.35 changelog.
>>>> In short, username resolution was completely reworked, thanks to Corinna, and
>>>> Cygwin now directly address domain controllers for it.
>>> OK so it addresses DCs to check some settings or priviliges. I don't
>>> suppose it just asks 'hey DS, can contoso\johnd access sshd on server1?'
>> Indirectly, that can be done, i.e., by including a user in "SSH" group and
>> allow only "DOMAIN+SSH" group to authorize on server.
> I assume the group name is arbitrary and can be named anything.
Of course. I have a generic "RemoteUsers" group for all users that allowed
remote access (VPN, SSH, etc.)
> I went thrugh local rights on my sshserver and I see the Everyone, and
> Users local groups have Allow to access this computer via network.
> I take it the 'Act as part of the OS','Create a token object' and
> 'Replace a process level token' rights are only for the account running
> the sshd service.
Yes, these are only used by service itself, and not propagated to the users
connected.
>> Verbose logging from both client and server may give some insight, too.
> Here is what I get from the logs on the client when attempting to
> connect with WinSCP
Try using only username to login. Without domain prefix.
And disable other auth mechanics, while you are testing namely I see it trying
GSSAPI, which wouldn't work unless explicitly configured and allowed.
Please attach long listings as files or provide links to pastebin service of
your choice.
--
With best regards,
Andrey Repin
Thursday, July 23, 2015 00:42:20
Sorry for my terrible english...
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
More information about the Cygwin
mailing list