Discussion:
Cygwin ssh and Windows authentication
Jarek
2015-07-19 14:07:15 UTC
Permalink
I'm still quite new to Cygwin. I'm using the most recent version to
install the ssh component on Server 2012R2 member server since it
happened to become a requirement for certain users. The problem I have
is to understand how to allow access for domain groups. I read the new
version doesn't even need the /etc/passwd and /etc/group files any more
but I couldn't see any explanation as to how to allow users or groups
permission to ssh to the cygwin sshd server. Running ssh-host-config
answering yes to all questions except the one for using other user than
the cyg_server I set up the ssh daemon. Not knowing any other way I
created the /etc/passwd file with $mkpasswd -l > /etc/passwd which
dumped all local users into the file. I successfully added a domain user
with $mkpasswd -u [domain_user] -D [domain] >> /etc/passwd.
This worked just fine creating the /home/[user] folder I think although
I haven't checked if it didn't get created earlier since I installed
Cygwin under that user account. No idea though how to get this working
without the use of /etc/passwd file. I then created the /etc/group file
and added my selected domain user group to it. Unfortunately in this
case members of the group cannot connect via ssh. I don't know if there
is a way to list all users including group members with access
permissions. $net user lists only users. I tried $net group but this
seems to be limited to DCs only which I have no access to. Could someone
please explain how can this be set up and what tellls Cygwin who can
connect and who can't?

--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Andrey Repin
2015-07-19 22:38:59 UTC
Permalink
Greetings, Jarek!
Post by Jarek
I'm still quite new to Cygwin. I'm using the most recent version to
install the ssh component on Server 2012R2 member server since it
happened to become a requirement for certain users. The problem I have
is to understand how to allow access for domain groups. I read the new
version doesn't even need the /etc/passwd and /etc/group files any more
but I couldn't see any explanation as to how to allow users or groups
permission to ssh to the cygwin sshd server.
Short version is that you need SSH server running under domain user.
Which needs to be created prior to starting ssh-host-config.
Post by Jarek
Running ssh-host-config answering yes to all questions except the one for
using other user than the cyg_server I set up the ssh daemon. Not knowing
any other way I created the /etc/passwd file with $mkpasswd -l > /etc/passwd
These files no longer need, but in your specific case, you actually just
screwed your setup.
Post by Jarek
which dumped all local users into the file. I successfully added a domain user
with $mkpasswd -u [domain_user] -D [domain] >> /etc/passwd.
That's not how it works.
Post by Jarek
This worked just fine creating the /home/[user] folder I think although
I haven't checked if it didn't get created earlier since I installed
Cygwin under that user account. No idea though how to get this working
without the use of /etc/passwd file. I then created the /etc/group file
and added my selected domain user group to it. Unfortunately in this
case members of the group cannot connect via ssh. I don't know if there
is a way to list all users including group members with access
permissions. $net user lists only users. I tried $net group but this
seems to be limited to DCs only which I have no access to. Could someone
please explain how can this be set up and what tellls Cygwin who can
connect and who can't?
http://cygwin.com/faq/faq.html#faq.using.sshd-in-domain
It was there all the time.
--
With best regards,
Andrey Repin
Monday, July 20, 2015 01:35:00

Sorry for my terrible english...


--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Matt Seitz (matseitz)
2015-07-20 17:52:24 UTC
Permalink
From: Andrey Repin
http://cygwin.com/faq/faq.html#faq.using.sshd-in-domain
Any suggestions if you can't get your domain admin to create a generic "cyg_server" account for you?

I suspect some people in corporate environments may have trouble getting domain admins to create a generic "cyg_server" domain account, especially one in the domain's "Administrators" group.


--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Jarek
2015-07-20 18:51:28 UTC
Permalink
Post by Matt Seitz (matseitz)
From: Andrey Repin
http://cygwin.com/faq/faq.html#faq.using.sshd-in-domain
Any suggestions if you can't get your domain admin to create a generic "cyg_server" account for you?
I suspect some people in corporate environments may have trouble getting domain admins to create a generic "cyg_server" domain account, especially one in the domain's "Administrators" group.
No chance for that I'm affraid.

--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Jarek
2015-07-20 18:59:30 UTC
Permalink
Hi Andrey.
So why are they not needed as your comment doesn't really explain that
and how exactly did I screwed up my setup if I can actually access the
server with a domain user account no problem? Perhaps it's not how it
works but it somehow works so again would be good to know why. It's only
domain groups that don't work. Even if I set the service account to run
under a domain account how would this fix my problem with group access
assuming in current setup it works for domain users but not for groups?
Again if not the /etc/passwd or /etc/group files then what controls the
access?
Post by Andrey Repin
Greetings, Jarek!
Post by Jarek
I'm still quite new to Cygwin. I'm using the most recent version to
install the ssh component on Server 2012R2 member server since it
happened to become a requirement for certain users. The problem I have
is to understand how to allow access for domain groups. I read the new
version doesn't even need the /etc/passwd and /etc/group files any more
but I couldn't see any explanation as to how to allow users or groups
permission to ssh to the cygwin sshd server.
Short version is that you need SSH server running under domain user.
Which needs to be created prior to starting ssh-host-config.
Post by Jarek
Running ssh-host-config answering yes to all questions except the one for
using other user than the cyg_server I set up the ssh daemon. Not knowing
any other way I created the /etc/passwd file with $mkpasswd -l > /etc/passwd
These files no longer need, but in your specific case, you actually just
screwed your setup.
Post by Jarek
which dumped all local users into the file. I successfully added a domain user
with $mkpasswd -u [domain_user] -D [domain] >> /etc/passwd.
That's not how it works.
Post by Jarek
This worked just fine creating the /home/[user] folder I think although
I haven't checked if it didn't get created earlier since I installed
Cygwin under that user account. No idea though how to get this working
without the use of /etc/passwd file. I then created the /etc/group file
and added my selected domain user group to it. Unfortunately in this
case members of the group cannot connect via ssh. I don't know if there
is a way to list all users including group members with access
permissions. $net user lists only users. I tried $net group but this
seems to be limited to DCs only which I have no access to. Could someone
please explain how can this be set up and what tellls Cygwin who can
connect and who can't?
http://cygwin.com/faq/faq.html#faq.using.sshd-in-domain
It was there all the time.
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Andrey Repin
2015-07-21 00:25:32 UTC
Permalink
Greetings, Jarek!
Post by Jarek
So why are they not needed as your comment doesn't really explain that
Read 1.7.35 changelog.
In short, username resolution was completely reworked, thanks to Corinna, and
Cygwin now directly address domain controllers for it.
Post by Jarek
and how exactly did I screwed up my setup if I can actually access the
server with a domain user account no problem?
On that, I'm surprized.
Post by Jarek
Perhaps it's not how it works but it somehow works so again would be good to
know why. It's only domain groups that don't work. Even if I set the service
account to run under a domain account how would this fix my problem with
group access assuming in current setup it works for domain users but not for
groups?
Again if not the /etc/passwd or /etc/group files then what controls the
access?
/etc/passwd/group has nothing to do with "access control".
The files were only used to convert Windows to Cygwin names (and supply other
Cygwin-specific information), on the presumption that there will never be too
much of it. This is now done on the fly, allowing to deploy Cygwin in large
domains.

P.S.
I would appreciate, if you don't top-post.
--
With best regards,
Andrey Repin
Tuesday, July 21, 2015 03:02:14

Sorry for my terrible english...


--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Jarek
2015-07-21 14:30:26 UTC
Permalink
Post by Andrey Repin
Greetings, Jarek!
Hey Andrey.
Post by Andrey Repin
Post by Jarek
So why are they not needed as your comment doesn't really explain that
Read 1.7.35 changelog.
In short, username resolution was completely reworked, thanks to Corinna, and
Cygwin now directly address domain controllers for it.
OK so it addresses DCs to check some settings or priviliges. I don't
suppose it just asks 'hey DS, can contoso\johnd access sshd on server1?'
to which the DC is like 'dude, what the heck is sshd?' :) I now have the
cygwin service running in domain context so now I would somehow need to
let the DC know whe is allowed to ssh to my server1. My domain account,
although in local admins on the server is now failing authentication
when trying to ssh. Which gets us back to the question what do I need
for a DC to authenticate me?
Post by Andrey Repin
Post by Jarek
and how exactly did I screwed up my setup if I can actually access the
server with a domain user account no problem?
On that, I'm surprized.
Maybe a bug then?
Post by Andrey Repin
Post by Jarek
Perhaps it's not how it works but it somehow works so again would be good to
know why. It's only domain groups that don't work. Even if I set the service
account to run under a domain account how would this fix my problem with
group access assuming in current setup it works for domain users but not for
groups?
Again if not the /etc/passwd or /etc/group files then what controls the
access?
/etc/passwd/group has nothing to do with "access control".
The files were only used to convert Windows to Cygwin names (and supply other
Cygwin-specific information), on the presumption that there will never be too
much of it. This is now done on the fly, allowing to deploy Cygwin in large
domains.
P.S.
I would appreciate, if you don't top-post.
Yeah, sorry for my bad formatting. Working on that. Hope I'm not
top-posting again.


--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Andrey Repin
2015-07-21 20:36:55 UTC
Permalink
Greetings, Jarek!
Post by Jarek
Post by Andrey Repin
Post by Jarek
So why are they not needed as your comment doesn't really explain that
Read 1.7.35 changelog.
In short, username resolution was completely reworked, thanks to Corinna, and
Cygwin now directly address domain controllers for it.
OK so it addresses DCs to check some settings or priviliges. I don't
suppose it just asks 'hey DS, can contoso\johnd access sshd on server1?'
Indirectly, that can be done, i.e., by including a user in "SSH" group and
allow only "DOMAIN+SSH" group to authorize on server.
Post by Jarek
to which the DC is like 'dude, what the heck is sshd?' :)
This is not that simple. The actual authentication is done by SSH itself in
this case. Same as on *NIX. For THIS (or, more precisely, to craft auth token
which IS THE "user" in terms of OS access control) it needs certain privileges.
The details are in documentation I linked earlier, the next question about
using public keys with SSH.
Post by Jarek
I now have the cygwin service running in domain context so now I would
somehow need to let the DC know whe is allowed to ssh to my server1.
By default, everyone will be allowed, and they will have only what rights they
have, as the actual access control is done by OS itself, once the user is
authenticated.
Post by Jarek
My domain account, although in local admins on the server is now failing
authentication when trying to ssh. Which gets us back to the question what
do I need for a DC to authenticate me?
Nothing more than what is stated in the FAQ entry.
I suggest starting from a new Cygwin install (stop and remove installed Cygwin
services and rename your existing installation out of the way) and recheck the
results.
Verbose logging from both client and server may give some insight, too.
Post by Jarek
Post by Andrey Repin
Post by Jarek
and how exactly did I screwed up my setup if I can actually access the
server with a domain user account no problem?
On that, I'm surprized.
Maybe a bug then?
Depends, what exactly was the state. But I'm not concerned.
There's very few narrow use cases left for having passwd/group files around
that it is better to just get rid of them.
Post by Jarek
Post by Andrey Repin
/etc/passwd/group has nothing to do with "access control".
The files were only used to convert Windows to Cygwin names (and supply other
Cygwin-specific information), on the presumption that there will never be too
much of it. This is now done on the fly, allowing to deploy Cygwin in large
domains.
--
With best regards,
Andrey Repin
Tuesday, July 21, 2015 23:27:07

Sorry for my terrible english...


--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Jarek
2015-07-22 18:57:36 UTC
Permalink
Post by Andrey Repin
Greetings, Jarek!
Post by Jarek
Post by Andrey Repin
Post by Jarek
So why are they not needed as your comment doesn't really explain that
Read 1.7.35 changelog.
In short, username resolution was completely reworked, thanks to Corinna, and
Cygwin now directly address domain controllers for it.
OK so it addresses DCs to check some settings or priviliges. I don't
suppose it just asks 'hey DS, can contoso\johnd access sshd on server1?'
Indirectly, that can be done, i.e., by including a user in "SSH" group and
allow only "DOMAIN+SSH" group to authorize on server.
I assume the group name is arbitrary and can be named anything.
I went thrugh local rights on my sshserver and I see the Everyone, and
Users local groups have Allow to access this computer via network.
I take it the 'Act as part of the OS','Create a token object' and
'Replace a process level token' rights are only for the account running
the sshd service.
Post by Andrey Repin
Post by Jarek
to which the DC is like 'dude, what the heck is sshd?' :)
This is not that simple. The actual authentication is done by SSH itself in
this case. Same as on *NIX. For THIS (or, more precisely, to craft auth token
which IS THE "user" in terms of OS access control) it needs certain privileges.
The details are in documentation I linked earlier, the next question about
using public keys with SSH.
I take it the 'Act as part of the OS','Create a token object' and
'Replace a process level token' rights are only for the account running
the sshd service.
Post by Andrey Repin
Post by Jarek
I now have the cygwin service running in domain context so now I would
somehow need to let the DC know whe is allowed to ssh to my server1.
By default, everyone will be allowed, and they will have only what rights they
have, as the actual access control is done by OS itself, once the user is
authenticated.
Post by Jarek
My domain account, although in local admins on the server is now failing
authentication when trying to ssh. Which gets us back to the question what
do I need for a DC to authenticate me?
Nothing more than what is stated in the FAQ entry.
I suggest starting from a new Cygwin install (stop and remove installed Cygwin
services and rename your existing installation out of the way) and recheck the
results.
Verbose logging from both client and server may give some insight, too.
Here is what I get from the logs on the client when attempting to
connect with WinSCP

17:04:05.612
--------------------------------------------------------------------------

17:04:05.612 WinSCP Version 4.1.9 (Build 416) (OS 6.2.9200)

17:04:05.612 Login time: 22 July 2015 17:04:05

17:04:05.613
--------------------------------------------------------------------------

17:04:05.613 Session name: sshserver

17:04:05.613 Host name: sshserver (Port: 22)

17:04:05.613 User name: contoso\testuser (Password: Yes, Key file: No)

17:04:05.613 Tunnel: No

17:04:05.613 Transfer Protocol: SFTP (SCP)

17:04:05.613 Ping type: -, Ping interval: 30 sec; Timeout: 15 sec

17:04:05.613 Proxy: none

17:04:05.613 SSH protocol version: 2; Compression: No

17:04:05.613 Bypass authentication: No

17:04:05.613 Try agent: Yes; Agent forwarding: No; TIS/CryptoCard: No;
KI: Yes; GSSAPI: No

17:04:05.613 Ciphers: aes,blowfish,3des,WARN,arcfour,des; Ssh2DES: No

17:04:05.613 SSH Bugs: -,-,-,-,-,-,-,-

17:04:05.613 SFTP Bugs: -,-

17:04:05.613 Return code variable: Autodetect; Lookup user groups: Yes

17:04:05.613 Shell: default, EOL: 0

17:04:05.613 Clear aliases: Yes, Unset nat.vars: Yes, Resolve symlinks: Yes

17:04:05.613 LS: ls -la, Ign LS warn: Yes, Scp1 Comp: No

17:04:05.613 Local directory: default, Remote directory: home, Update:
No, Cache: Yes

17:04:05.613 Cache directory changes: Yes, Permanent: Yes

17:04:05.613 DST mode: 1

17:04:05.613
--------------------------------------------------------------------------

17:04:05.644 Looking up host "sshserver"

17:04:05.645 Connecting to 159.x.x.x port 22

17:04:05.649 Waiting for the server to continue with the initialisation

17:04:05.649 Detected network event

17:04:05.693 Detected network event

17:04:05.693 Server version: SSH-2.0-OpenSSH_6.8

17:04:05.693 We claim version: SSH-2.0-WinSCP_release_4.1.9

17:04:05.693 SSPI: acquired credentials for: ***@contoso.com

17:04:05.693 Constructed service principal name 'host/sshserver'

17:04:05.693 Enabling GSSKEX for this target

17:04:05.694 Using SSH protocol version 2

17:04:05.694 Waiting for the server to continue with the initialisation

17:04:05.708 Detected network event

17:04:05.708 Doing Diffie-Hellman group exchange

17:04:05.708 Waiting for the server to continue with the initialisation

17:04:05.720 Detected network event

17:04:05.720 Doing Diffie-Hellman key exchange with hash SHA-1

17:04:05.760 Waiting for the server to continue with the initialisation

17:04:05.768 Detected network event

17:04:05.821 Host key fingerprint is:

17:04:05.952 ssh-rsa 2048 eb:74:f2:52:b1:08:e9:25:11:9a:e3:e7:b0:94:74:18

17:04:05.952 Initialised AES-256 SDCTR client->server encryption

17:04:05.952 Initialised HMAC-SHA1 client->server MAC algorithm

17:04:05.952 Initialised AES-256 SDCTR server->client encryption

17:04:05.952 Initialised HMAC-SHA1 server->client MAC algorithm

17:04:05.952 Waiting for the server to continue with the initialisation

17:04:05.966 Detected network event

17:04:05.966 Using username "CONTOSO\TESTUSER".

17:04:05.969 Waiting for the server to continue with the initialisation

17:04:05.976 Detected network event

17:04:05.976 Waiting for the server to continue with the initialisation

17:04:05.977 Detected network event

17:04:05.977 Keyboard-interactive authentication refused

17:04:05.977 Prompt (6, SSH password, , &Password: )

17:04:05.977 Using stored password.

17:04:05.979 Sent password

17:04:05.979 Waiting for the server to continue with the initialisation

17:04:06.015 Detected network event

17:04:06.015 Access denied

17:04:06.017 Access denied

17:04:06.017 Prompt (6, SSH password, , &Password: )

17:05:19.693 Disconnected: Unable to authenticate

17:05:19.705 (ESshFatal) Connection has been unexpectedly closed. Server
sent command exit status 0.

17:05:19.705 Authentication log (see session log for details):

17:05:19.705 Using username "CONTOSO\TESTUSER".

17:05:19.705 Access denied.

17:05:19.706

17:05:19.706 Authentication failed.


On the server's end it looks a bit puzzling when looking in the logs. In
the security log it looks like it's my CONTOSONET\CYG_Service account
was trying to log on.
Also in the system log the testuser account ntlm account name looks
strange with multiple back-slashes in it. Mind the accounts are in
diferent domains although there is mutual trust between them. The're in
the same forest.

___________________________________________________________

The computer attempted to validate the credentials for an account.

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Logon Account: NOUSER

Source Workstation: SSHSERVER

Error Code: 0xC0000064

=============================================================================

An account failed to log on.

Subject:

Security ID: CONTOSONET\CYG_SERVICE

Account Name: CYGSERVICE

Account Domain: CONTOSONET

Logon ID: 0x1EF0F8A

Logon Type: 2

Account For Which Logon Failed:

Security ID: NULL SID

Account Name: NOUSER

Account Domain:

Failure Information:

Failure Reason: Unknown user name or bad password.

Status: 0xC000006D

Sub Status: 0xC0000064

Process Information:

Caller Process ID: 0x6d0

Caller Process Name: C:\cygwin\usr\sbin\sshd.exe

Network Information:

Workstation Name: SSHSERVER

Source Network Address: -

Source Port: -

Detailed Authentication Information:

Logon Process: Advapi

Authentication Package:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Transited Services: -

Package Name (NTLM only): -

Key Length: 0

This event is generated when a logon request fails. It is generated on
the computer where access was attempted.

The Subject fields indicate the account on the local system which
requested the logon. This is most commonly a service such as the Server
service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The
most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the
system requested the logon.

The Network Information fields indicate where a remote logon request
originated. Workstation name is not always available and may be left
blank in some cases.

The authentication information fields provide detailed information about
this specific logon request.

- Transited services indicate which intermediate
services have participated in this logon request.

- Package name indicates which sub-protocol was used
among the NTLM protocols.

- Key length indicates the length of the generated
session key. This will be 0 if no session key was requested.

============================================================================================================================

A privileged service was called.

Subject:

Security ID: SYSTEM

Account Name: SSHSERVER$

Account Domain: CONTOSONET

Logon ID: 0x3E7

Service:

Server: Security Account Manager

Service Name: Security Account Manager

Process:

Process ID: 0x1f0

Process Name: C:\Windows\System32\lsass.exe

Service Request Information:

Privileges: SeTcbPrivilege


sshd: PID 3108: Invalid user CONTOSO\\TESTUSER from 159.x.x.x

sshd: PID 3108: input_userauth_request: invalid user CONTOSO\\\\TESTUSER
[preauth]

sshd: PID 3108: Failed password for invalid user CONTOSO\\TESTUSER from
159.x.x.x port 59652 ssh2

sshd: PID 3108: error: Received disconnect from 159.x.x.x: 13: Unable to
authenticate [preauth]

sshd: PID 3108: Disconnected from 159.x.x.x [preauth]

sshd: PID 3108: error: mm_request_receive: socket closed
Post by Andrey Repin
Post by Jarek
Post by Andrey Repin
Post by Jarek
and how exactly did I screwed up my setup if I can actually access the
server with a domain user account no problem?
On that, I'm surprized.
Maybe a bug then?
Depends, what exactly was the state. But I'm not concerned.
There's very few narrow use cases left for having passwd/group files around
that it is better to just get rid of them.
For this test I reinstalled without creating the passwd/group files to
no avail.
Post by Andrey Repin
Post by Jarek
Post by Andrey Repin
/etc/passwd/group has nothing to do with "access control".
The files were only used to convert Windows to Cygwin names (and supply other
Cygwin-specific information), on the presumption that there will never be too
much of it. This is now done on the fly, allowing to deploy Cygwin in large
domains.
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Andrey Repin
2015-07-22 21:46:27 UTC
Permalink
Greetings, Jarek!
Post by Jarek
Post by Andrey Repin
Post by Jarek
Post by Andrey Repin
Post by Jarek
So why are they not needed as your comment doesn't really explain that
Read 1.7.35 changelog.
In short, username resolution was completely reworked, thanks to Corinna, and
Cygwin now directly address domain controllers for it.
OK so it addresses DCs to check some settings or priviliges. I don't
suppose it just asks 'hey DS, can contoso\johnd access sshd on server1?'
Indirectly, that can be done, i.e., by including a user in "SSH" group and
allow only "DOMAIN+SSH" group to authorize on server.
I assume the group name is arbitrary and can be named anything.
Of course. I have a generic "RemoteUsers" group for all users that allowed
remote access (VPN, SSH, etc.)
Post by Jarek
I went thrugh local rights on my sshserver and I see the Everyone, and
Users local groups have Allow to access this computer via network.
I take it the 'Act as part of the OS','Create a token object' and
'Replace a process level token' rights are only for the account running
the sshd service.
Yes, these are only used by service itself, and not propagated to the users
connected.
Post by Jarek
Post by Andrey Repin
Verbose logging from both client and server may give some insight, too.
Here is what I get from the logs on the client when attempting to
connect with WinSCP
Try using only username to login. Without domain prefix.
And disable other auth mechanics, while you are testing namely I see it trying
GSSAPI, which wouldn't work unless explicitly configured and allowed.

Please attach long listings as files or provide links to pastebin service of
your choice.
--
With best regards,
Andrey Repin
Thursday, July 23, 2015 00:42:20

Sorry for my terrible english...


--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Jarek
2015-07-24 19:05:10 UTC
Permalink
Post by Andrey Repin
Greetings, Jarek!
Post by Jarek
Post by Andrey Repin
Post by Jarek
Post by Andrey Repin
Post by Jarek
So why are they not needed as your comment doesn't really explain that
Read 1.7.35 changelog.
In short, username resolution was completely reworked, thanks to Corinna, and
Cygwin now directly address domain controllers for it.
OK so it addresses DCs to check some settings or priviliges. I don't
suppose it just asks 'hey DS, can contoso\johnd access sshd on server1?'
Indirectly, that can be done, i.e., by including a user in "SSH" group and
allow only "DOMAIN+SSH" group to authorize on server.
I assume the group name is arbitrary and can be named anything.
Of course. I have a generic "RemoteUsers" group for all users that allowed
remote access (VPN, SSH, etc.)
Post by Jarek
I went thrugh local rights on my sshserver and I see the Everyone, and
Users local groups have Allow to access this computer via network.
I take it the 'Act as part of the OS','Create a token object' and
'Replace a process level token' rights are only for the account running
the sshd service.
Yes, these are only used by service itself, and not propagated to the users
connected.
Post by Jarek
Post by Andrey Repin
Verbose logging from both client and server may give some insight, too.
Here is what I get from the logs on the client when attempting to
connect with WinSCP
Try using only username to login. Without domain prefix.
And disable other auth mechanics, while you are testing namely I see it trying
GSSAPI, which wouldn't work unless explicitly configured and allowed.
Please attach long listings as files or provide links to pastebin service of
your choice.
Hi Andrey,

As much as I don't like giving up, after lots of testing I found the
only way I can get a domain user to access my server is by creating the
/etc/passwd file and adding the users there. I don't understand the
workings behind this but at least it works. Thank you very much for your
help and patience. Due to tons of other things I have to work on now I
wont be persuing this further but hey, Microsoft are yet again working
on ssh. Maybe they suceed this time.
All the best.

--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Jarek
2015-08-02 12:47:50 UTC
Permalink
Post by Andrey Repin
Greetings, Jarek!
Post by Jarek
Post by Andrey Repin
Post by Jarek
Post by Andrey Repin
Post by Jarek
So why are they not needed as your comment doesn't really explain that
Read 1.7.35 changelog.
In short, username resolution was completely reworked, thanks to Corinna, and
Cygwin now directly address domain controllers for it.
OK so it addresses DCs to check some settings or priviliges. I don't
suppose it just asks 'hey DS, can contoso\johnd access sshd on server1?'
Indirectly, that can be done, i.e., by including a user in "SSH" group and
allow only "DOMAIN+SSH" group to authorize on server.
I assume the group name is arbitrary and can be named anything.
Of course. I have a generic "RemoteUsers" group for all users that allowed
remote access (VPN, SSH, etc.)
Post by Jarek
I went thrugh local rights on my sshserver and I see the Everyone, and
Users local groups have Allow to access this computer via network.
I take it the 'Act as part of the OS','Create a token object' and
'Replace a process level token' rights are only for the account running
the sshd service.
Yes, these are only used by service itself, and not propagated to the users
connected.
Post by Jarek
Post by Andrey Repin
Verbose logging from both client and server may give some insight, too.
Here is what I get from the logs on the client when attempting to
connect with WinSCP
Try using only username to login. Without domain prefix.
And disable other auth mechanics, while you are testing namely I see it trying
GSSAPI, which wouldn't work unless explicitly configured and allowed.
Please attach long listings as files or provide links to pastebin service of
your choice.
Hi Andrey,
Just for an update I deployed ssh access using the passwd file. I found
it works fine as long as the user connecting is a member of local
admins. Otherwise users are not able to connect. Looks like this may be
a bug after all.
Best,
Jarek

--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple

Continue reading on narkive:
Loading...