Windows Guest Account Locked SSH
I have a similar problem to this post: http://cygwin.com/ml/cygwin/2012-06/msg00507.html except that the version I am using is 1.7.25, downloaded relatively recently. It seems that making an ssh connection to the CygWin host, using RSA certificate to achieve passwordless connection, causes the SSHD service on the host to perform an authentication using the account that the service is hosted with ... but that it apparently does not qualify the account with a domain (ie. the local machine) and apparently the assumption is that it should be a DOMAIN account - there was no DOMAIN\CYG_SERVER account so it fails and I assume it then tries DOMAIN\Guest as a fall-back, with the wrong password and therefore locks out DOMAIN\Guest So I created a DOMAIN\CYG_SERVER account with the same password as LOCALDOMAIN\CYG_SERVER and presto!, SSH connections from my client with no domain guest lockout. I have googled to infinity and beyond and found only a few references to this problem, and none of them suggest this or any other solution, merely that you can try this and that (one relating to duplicated SID's - not the reason) I have tried to attach the sanitized output of cygcheck -s -v -r cygcheck.out as suggested and copies of the ssh config files, but Cygwin mailserver sees the mail as spam?! The SSH configs on both the host and client have been modified to eliminate any passworded/ Kerberos/GSSAPI options leaving just the publickey authentication. Can anyone specify a better solution than creating a matching domain account? I can't help thinking that I have missed some configuration item that would deal with this directly. To contact the police in an emergency call 999 or to contact Greater Manchester Police for a less urgent matter call 101. For the latest news and information about your Neighbourhood Policing Team visit www.gmp.police.uk. You can also follow us on Twitter: www.twitter.com/gmpolice or find us on Facebook: www.facebook.com/GtrManchesterPolice , Flickr: www.flickr.com/gmpolice or YouTube: www.youtube.com/gmpolice This e mail carries a disclaimer, a copy of which may be read at: http://www.gmp.police.uk/emaildisclaimer cygcheck.out Description: cygcheck.out # $OpenBSD: ssh_config,v 1.23 2007/06/08 04:40:40 pvalchev Exp $ # This is the ssh client system-wide configuration file. See # ssh_config(5) for more information. This file provides defaults for # users, and the values can be changed in per-user configuration files # or on the command line. # Configuration data is parsed as follows: # 1. command line options # 2. user-specific file # 3. system-wide file # Any configuration value is only changed the first time it is set. # Thus, host-specific definitions should be at the beginning of the # configuration file, and defaults at the end. # Site-wide defaults for some commonly used options. For a comprehensive # list of available options, their meanings and defaults, please see the # ssh_config(5) man page. # Host * # ForwardAgent no # ForwardX11 no # RhostsRSAAuthentication no RSAAuthentication yes PasswordAuthentication no HostbasedAuthentication no GSSAPIAuthentication no GSSAPIDelegateCredentials no # BatchMode no # CheckHostIP yes # AddressFamily any # ConnectTimeout 0 # StrictHostKeyChecking ask # IdentityFile ~/.ssh/identity IdentityFile ~/.ssh/id_rsa # IdentityFile ~/.ssh/id_dsa # Port 22 # Protocol 2,1 # Cipher 3des # Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc # MACs hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160 # EscapeChar ~ # Tunnel no # TunnelDevice any:any # PermitLocalCommand no # $OpenBSD: sshd_config,v 1.89 2013/02/06 00:20:42 dtucker Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/bin:/usr/sbin:/sbin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: # The default requires explicit activation of protocol 1 #Protocol 2 # HostKey for protocol version 1 #HostKey /etc/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh_host_rsa_key #HostKey /etc/ssh_host_dsa_key #HostKey /etc/ssh_host_ecdsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 1024 # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH LogLevel DEBUG # Authentication: #LoginGraceTime 2m #PermitRootLogin yes StrictModes no #MaxAuthTries 6 #MaxSessions 10 #RSAAuthentication yes PubkeyAuthentication yes # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only
Re: Windows Guest Account Locked SSH
On 6 November 2013 10:26, Jez.Noake wrote: I have tried to attach the sanitized output of cygcheck -s -v -r cygcheck.out as suggested and copies of the ssh config files, but Cygwin mailserver sees the mail as spam?! That's probably because of this: This e mail carries a disclaimer, a copy of which may be read at: http://www.gmp.police.uk/emaildisclaimer Such disclaimers aren't helpful on a public mailing list that's sent to people you don't know and that's archived online indefinitely. See https://sourceware.org/lists.html#disclaimer-bounce for a more detailed explanation and what to do about it. Alternatively, it could genuinely be the filters think your email is spam; the way to deal with this is at https://sourceware.org/lists.html#spam. Both the above links are in the mailing list FAQ, which is linked from http://cygwin.com/lists.html and I believe is linked from the rejection emails you would have received. Overseers, as requested, have an email with a disclaimer link that slipped through the filter. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: Windows Guest Account Locked SSH
On 11/6/2013 5:26 AM, jez.no...@gmp.police.uk wrote: I have a similar problem to this post: http://cygwin.com/ml/cygwin/2012-06/msg00507.html except that the version I am using is 1.7.25, downloaded relatively recently. It seems that making an ssh connection to the CygWin host, using RSA certificate to achieve passwordless connection, causes the SSHD service on the host to perform an authentication using the account that the service is hosted with ... but that it apparently does not qualify the account with a domain (ie. the local machine) and apparently the assumption is that it should be a DOMAIN account - there was no DOMAIN\CYG_SERVER account so it fails and I assume it then tries DOMAIN\Guest as a fall-back, with the wrong password and therefore locks out DOMAIN\Guest So I created a DOMAIN\CYG_SERVER account with the same password as LOCALDOMAIN\CYG_SERVER and presto!, SSH connections from my client with no domain guest lockout. I have googled to infinity and beyond and found only a few references to this problem, and none of them suggest this or any other solution, merely that you can try this and that (one relating to duplicated SID's - not the reason) snip Can anyone specify a better solution than creating a matching domain account? I can't help thinking that I have missed some configuration item that would deal with this directly. No, this is exactly the way to do it. ssh-host-config cannot create a privileged domain account when run as any user from any machine so it doesn't try to. If you need a domain user to be able to authenticate with pubkey, you have to do what you did to make that work. The side effect of locking the domain guest account is a new twist I hadn't heard of before but then again, it is Windows we're talking about. ;-) -- Larry _ A: Yes. Q: Are you sure? A: Because it reverses the logical flow of conversation. Q: Why is top posting annoying in email? -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: Windows Guest Account Locked SSH
On Wed, Nov 06, 2013 at 10:26:17AM +, jez.no...@gmp.police.uk wrote: ...Cygwin mailserver sees the mail as spam?! First: please calm down. Second: If you think you're being blocked inappropriately then send email to postmaster. No one here is going to spend time fixing spam issues. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: Windows Guest Account Locked SSH
George Luiz Bittencourt wrote: Hello, We are facing an issue where our guest domain account is getting locked during the SSH logon process and we Also, does your guest account have a password? Some of the newer versions of windows get picky about allowing remote logins with blank passwords. Another thing to check -- by default win7 ships with guest domain account disabled. you have to enable it as an admin... -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Windows Guest Account Locked SSH
Hello, We are facing an issue where our guest domain account is getting locked during the SSH logon process and we do not know how to troubleshoot this problem. We did some research but did not find anything useful about this issue so we decided to ask help. Does anyone know what could be causing this? We are running a very old version, Cygwin 1.5.2, but we are not sure if this is the cause. Basically if we open a SSH session to server A our guest domain account is locked and if we check the Windows event log we see an event saying that the account was locked from server A. -George -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: Windows Guest Account Locked SSH
On Wed, Jun 27, 2012 at 12:13:25PM +, George Luiz Bittencourt wrote: We are running a very old version, Cygwin 1.5.2, but we are not sure if this is the cause. You should update (probably reinstalling would be better) to current cygwin if possible, and check if you still have the same problem. -- Primary key fingerprint: AD8F BDC0 5A2C FD5F A179 60E7 F79B AB04 5299 EC56 signature.asc Description: Digital signature