Re: CYGWIN - As admin setup other users SSH for them?
On 6/10/2014 21:04, Roger Vicker, CCP wrote: In that case, why not just replicate the effect of "ssh-copy-id" 1) The point of using keys is to eliminate password login (there are other layers involved elsewhere). 2) Even if I "temporarily" enabled password login I would need the user's password to this network. 3) The usual "after necessary sharing a password" changing of it upsets the user as the periodic change is always "too frequent". So make the Android client generate a key pair on first launch, then until it successfully uses the key to log in, ask for the user's password and use that instead. Thereafter, use the key exclusively. Windows doesn't readily offer a "su" or "sudo" like mechanism. There are ways[1] to arm-twist Windows into offering something like it, but it's a lot of work to go through to achieve your preconceived solution to the problem. [1] https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd1 -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: CYGWIN - As admin setup other users SSH for them?
On 6/10/2014 4:36 PM, Warren Young arranged the binary bits such that: > On 6/10/2014 14:56, Roger Vicker, CCP wrote: >> These particular users are barely computer literate so I would be >> copying the private keys directly to their Android devices > > In that case, why not just replicate the effect of "ssh-copy-id" from > each Android device before it leaves your hands? > 1) The point of using keys is to eliminate password login (there are other layers involved elsewhere). 2) Even if I "temporarily" enabled password login I would need the user's password to this network. 3) The usual "after necessary sharing a password" changing of it upsets the user as the periodic change is always "too frequent". -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: CYGWIN - As admin setup other users SSH for them?
On 6/10/2014 14:56, Roger Vicker, CCP wrote: These particular users are barely computer literate so I would be copying the private keys directly to their Android devices In that case, why not just replicate the effect of "ssh-copy-id" from each Android device before it leaves your hands? -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: CYGWIN - As admin setup other users SSH for them?
On 6/5/2014 2:46 AM, Warren Young arranged the binary bits such that: > On 6/4/2014 16:05, Roger Vicker, CCP wrote: >> 3) deliver the private key to the user along with the rest of the >> instructions on how to use it in the provided apps. > How were you planning on delivering these sensitive private keys? Via > insecure email, perhaps? These particular users are barely computer literate so I would be copying the private keys directly to their Android devices and setting up the apps that need to use SSH as a tunnel to connect to their server side apps. > Use ssh as it was designed: have the users generate their own local > keypairs, and have them email the public key to you. The words we use > here mean something. The *public* key goes out over the public link, > and the *private* key stays at home. > I know security. That is why we are implementing SSH with keys to further secure a remote protocol. VPN is not as practical given the level of the users, the specific remote devices and app. > It's not like the commands are difficult. They set up a local Cygwin, > add the openssh package, then say: > > $ ssh-keygen > ...press Enter a bunch of times... > $ cat ~/.ssh/id_rsa.pub > /dev/clipboard > ...compose email to rvicker, paste > >> With out their passwords I can't login to establish their $home >> directory structure, > Take a look at /etc/profile, starting at line 75. See the stuff about > /etc/skel? That's how the user's home directory gets set up. Nothing > magic here. You could cut those couple-dozen lines into a new script > and tweak it for your purposes. > > The only trick is that if you do all this as administrator, you'll > have to say something like > > # chown -R otheruser.otheruser ~otheruser > > after you get done setting up the user's home directory. > -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: CYGWIN - As admin setup other users SSH for them?
On 6/4/2014 16:05, Roger Vicker, CCP wrote: 3) deliver the private key to the user along with the rest of the instructions on how to use it in the provided apps. How were you planning on delivering these sensitive private keys? Via insecure email, perhaps? Use ssh as it was designed: have the users generate their own local keypairs, and have them email the public key to you. The words we use here mean something. The *public* key goes out over the public link, and the *private* key stays at home. It's not like the commands are difficult. They set up a local Cygwin, add the openssh package, then say: $ ssh-keygen ...press Enter a bunch of times... $ cat ~/.ssh/id_rsa.pub > /dev/clipboard ...compose email to rvicker, paste With out their passwords I can't login to establish their $home directory structure, Take a look at /etc/profile, starting at line 75. See the stuff about /etc/skel? That's how the user's home directory gets set up. Nothing magic here. You could cut those couple-dozen lines into a new script and tweak it for your purposes. The only trick is that if you do all this as administrator, you'll have to say something like # chown -R otheruser.otheruser ~otheruser after you get done setting up the user's home directory. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
CYGWIN - As admin setup other users SSH for them?
I've got a Windows system setup with SSH in CYGWIN working. I've used mkpaswd to install the users in /etc/passwd. As administrator I want to: 1) generate the key pairs for the other users. 2) install the public key in the users $home/.ssh/authorized_keys. 3) deliver the private key to the user along with the rest of the instructions on how to use it in the provided apps. With out their passwords I can't login to establish their $home directory structure, run ssh-keygen, copy the key files. Thanks. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple