Discussion:
ssh problem using publickey in domain environment
(too old to reply)
Jukka Inkeri
2010-02-23 17:01:38 UTC
Permalink
I have read this mailing list and many other good pages how to setup
sshd in cygwin environment. I have installed many sshd cygwin servers,
but last some servers I have been publickey auth problem.

Basic model works fine, but in the domain environment has been some
problems. Today I found some answer, but not all.

If I have used ex. win2003 (or win2008r2) servers and those are member
of domain and domain controller then
ssh-host-config -y
net start sshd
works fine, you can use password or rsa publickey auth, no problem.
cyg_server and sshd are domain users, works fine.

But if your server is member of domain, but not domain controller, then
publickey not work, setsuid problem. In this case server can use local
and domain users. Controller use only domain users.

Today I found "dirty" solution, I added also local user and it works
fine also with publickey auth. cyg_server and sshd are local users and
user is also local, works fine. But not using domain users ?
mkpasswd -l ...
mkpasswd -d domain ...

Why it works if your server is domain controller, but not if you have
only member of domain ?
- setting priviledges ? ex. SeAssignPrimaryTokenPrivilege

If your server is member of domain, howto make users, sshd, (which
order) ... without setuid problem when using publickey auth ? cyg_server
and sshd - domain user or local or both, ???


-jukka-
Larry Hall (Cygwin)
2010-02-23 17:35:32 UTC
Permalink
Post by Jukka Inkeri
If your server is member of domain, howto make users, sshd, (which
order) ... without setuid problem when using publickey auth ? cyg_server
and sshd - domain user or local or both, ???
In order for the SSH server to switch user context to a domain user,
the service's user (cyg_server) must be a domain user with the rights
outlined in 'ssh-host-config'. I'm not sure if it's a requirement that
the 'sshd' user also be a domain user. I've never played with that.
--
Larry Hall http://www.rfk.com
RFK Partners, Inc. (508) 893-9779 - RFK Office
216 Dalton Rd. (508) 893-9889 - FAX
Holliston, MA 01746

_____________________________________________________________________

A: Yes.
Post by Jukka Inkeri
Q: Are you sure?
A: Because it reverses the logical flow of conversation.
Q: Why is top posting annoying in email?
Corinna Vinschen
2010-02-24 10:13:55 UTC
Permalink
Post by Larry Hall (Cygwin)
Post by Jukka Inkeri
If your server is member of domain, howto make users, sshd, (which
order) ... without setuid problem when using publickey auth ? cyg_server
and sshd - domain user or local or both, ???
In order for the SSH server to switch user context to a domain user,
the service's user (cyg_server) must be a domain user with the rights
outlined in 'ssh-host-config'. I'm not sure if it's a requirement that
the 'sshd' user also be a domain user. I've never played with that.
I added a FAQ entry lately:

http://cygwin.com/faq/faq-nochunks.html#faq.using.sshd-in-domain


Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Red Hat
Andrew DeFaria
2010-02-24 15:44:25 UTC
Permalink
Post by Corinna Vinschen
Post by Larry Hall (Cygwin)
Post by Jukka Inkeri
If your server is member of domain, howto make users, sshd, (which
order) ... without setuid problem when using publickey auth ? cyg_server
and sshd - domain user or local or both, ???
In order for the SSH server to switch user context to a domain user,
the service's user (cyg_server) must be a domain user with the rights
outlined in 'ssh-host-config'. I'm not sure if it's a requirement that
the 'sshd' user also be a domain user. I've never played with that.
http://cygwin.com/faq/faq-nochunks.html#faq.using.sshd-in-domain
You might want to change that to:

$ mkpasswd -l -d your_domain>> /etc/passwd
$ mkgroup -l -d your_domain>> /etc/group

so as not to destroy whatever the user had in /etc/{passwd,group}.
--
Andrew DeFaria <http://defaria.com>
I didn't fight my way to the top of the food chain to be a vegetarian.
Corinna Vinschen
2010-02-24 16:48:15 UTC
Permalink
Post by Andrew DeFaria
Post by Corinna Vinschen
Post by Larry Hall (Cygwin)
Post by Jukka Inkeri
If your server is member of domain, howto make users, sshd, (which
order) ... without setuid problem when using publickey auth ? cyg_server
and sshd - domain user or local or both, ???
In order for the SSH server to switch user context to a domain user,
the service's user (cyg_server) must be a domain user with the rights
outlined in 'ssh-host-config'. I'm not sure if it's a requirement that
the 'sshd' user also be a domain user. I've never played with that.
http://cygwin.com/faq/faq-nochunks.html#faq.using.sshd-in-domain
$ mkpasswd -l -d your_domain>> /etc/passwd
$ mkgroup -l -d your_domain>> /etc/group
so as not to destroy whatever the user had in /etc/{passwd,group}.
IMHO that's not a good idea. The passwd and group files should be
regenerated at this point to get a stable, well-defined state, and then
you can re-add any local changes at your heart's content. YMMV, of
course.


Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Red Hat
Andrew DeFaria
2010-02-24 16:56:44 UTC
Permalink
Post by Corinna Vinschen
Post by Corinna Vinschen
Post by Larry Hall (Cygwin)
Post by Jukka Inkeri
If your server is member of domain, howto make users, sshd, (which
order) ... without setuid problem when using publickey auth ? cyg_server
and sshd - domain user or local or both, ???
In order for the SSH server to switch user context to a domain user,
the service's user (cyg_server) must be a domain user with the rights
outlined in 'ssh-host-config'. I'm not sure if it's a requirement that
the 'sshd' user also be a domain user. I've never played with that.
http://cygwin.com/faq/faq-nochunks.html#faq.using.sshd-in-domain
$ mkpasswd -l -d your_domain>> /etc/passwd
$ mkgroup -l -d your_domain>> /etc/group
so as not to destroy whatever the user had in /etc/{passwd,group}.
IMHO that's not a good idea. The passwd and group files should be
regenerated at this point to get a stable, well-defined state, and then
you can re-add any local changes at your heart's content. YMMV, of
course.
I mistyped. If all that was really required was getting cyg_server in
there then perhaps -u cyg_server should have been used. In any event I
think you should point out that this will replace the current
/etc/{passwd,group}
--
Andrew DeFaria <http://defaria.com>
What was the best thing before sliced bread?
Larry Hall (Cygwin)
2010-02-24 17:27:24 UTC
Permalink
Post by Corinna Vinschen
Post by Larry Hall (Cygwin)
Post by Jukka Inkeri
If your server is member of domain, howto make users, sshd, (which
order) ... without setuid problem when using publickey auth ? cyg_server
and sshd - domain user or local or both, ???
In order for the SSH server to switch user context to a domain user,
the service's user (cyg_server) must be a domain user with the rights
outlined in 'ssh-host-config'. I'm not sure if it's a requirement that
the 'sshd' user also be a domain user. I've never played with that.
http://cygwin.com/faq/faq-nochunks.html#faq.using.sshd-in-domain
Many thanks. :-)
--
Larry Hall http://www.rfk.com
RFK Partners, Inc. (508) 893-9779 - RFK Office
216 Dalton Rd. (508) 893-9889 - FAX
Holliston, MA 01746

_____________________________________________________________________

A: Yes.
Post by Corinna Vinschen
Q: Are you sure?
Post by Larry Hall (Cygwin)
A: Because it reverses the logical flow of conversation.
Post by Jukka Inkeri
Q: Why is top posting annoying in email?
Continue reading on narkive:
Loading...