Re: ssh problem using publickey in domain environment
On Feb 23 12:35, Larry Hall (Cygwin) wrote: On 02/23/2010 12:01 PM, Jukka Inkeri wrote: If your server is member of domain, howto make users, sshd, (which order) ... without setuid problem when using publickey auth ? cyg_server and sshd - domain user or local or both, ??? In order for the SSH server to switch user context to a domain user, the service's user (cyg_server) must be a domain user with the rights outlined in 'ssh-host-config'. I'm not sure if it's a requirement that the 'sshd' user also be a domain user. I've never played with that. I added a FAQ entry lately: http://cygwin.com/faq/faq-nochunks.html#faq.using.sshd-in-domain Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: ssh problem using publickey in domain environment
On 02/24/2010 02:13 AM, Corinna Vinschen wrote: On Feb 23 12:35, Larry Hall (Cygwin) wrote: On 02/23/2010 12:01 PM, Jukka Inkeri wrote: If your server is member of domain, howto make users, sshd, (which order) ... without setuid problem when using publickey auth ? cyg_server and sshd - domain user or local or both, ??? In order for the SSH server to switch user context to a domain user, the service's user (cyg_server) must be a domain user with the rights outlined in 'ssh-host-config'. I'm not sure if it's a requirement that the 'sshd' user also be a domain user. I've never played with that. I added a FAQ entry lately: http://cygwin.com/faq/faq-nochunks.html#faq.using.sshd-in-domain You might want to change that to: $ mkpasswd -l -d your_domain /etc/passwd $ mkgroup -l -d your_domain /etc/group so as not to destroy whatever the user had in /etc/{passwd,group}. -- Andrew DeFaria http://defaria.com I didn't fight my way to the top of the food chain to be a vegetarian. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: ssh problem using publickey in domain environment
On Feb 24 07:44, Andrew DeFaria wrote: On 02/24/2010 02:13 AM, Corinna Vinschen wrote: On Feb 23 12:35, Larry Hall (Cygwin) wrote: On 02/23/2010 12:01 PM, Jukka Inkeri wrote: If your server is member of domain, howto make users, sshd, (which order) ... without setuid problem when using publickey auth ? cyg_server and sshd - domain user or local or both, ??? In order for the SSH server to switch user context to a domain user, the service's user (cyg_server) must be a domain user with the rights outlined in 'ssh-host-config'. I'm not sure if it's a requirement that the 'sshd' user also be a domain user. I've never played with that. I added a FAQ entry lately: http://cygwin.com/faq/faq-nochunks.html#faq.using.sshd-in-domain You might want to change that to: $ mkpasswd -l -d your_domain /etc/passwd $ mkgroup -l -d your_domain /etc/group so as not to destroy whatever the user had in /etc/{passwd,group}. IMHO that's not a good idea. The passwd and group files should be regenerated at this point to get a stable, well-defined state, and then you can re-add any local changes at your heart's content. YMMV, of course. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: ssh problem using publickey in domain environment
On 02/24/2010 08:48 AM, Corinna Vinschen wrote: On Feb 24 07:44, Andrew DeFaria wrote: On 02/24/2010 02:13 AM, Corinna Vinschen wrote: On Feb 23 12:35, Larry Hall (Cygwin) wrote: On 02/23/2010 12:01 PM, Jukka Inkeri wrote: If your server is member of domain, howto make users, sshd, (which order) ... without setuid problem when using publickey auth ? cyg_server and sshd - domain user or local or both, ??? In order for the SSH server to switch user context to a domain user, the service's user (cyg_server) must be a domain user with the rights outlined in 'ssh-host-config'. I'm not sure if it's a requirement that the 'sshd' user also be a domain user. I've never played with that. I added a FAQ entry lately: http://cygwin.com/faq/faq-nochunks.html#faq.using.sshd-in-domain You might want to change that to: $ mkpasswd -l -d your_domain /etc/passwd $ mkgroup -l -d your_domain /etc/group so as not to destroy whatever the user had in /etc/{passwd,group}. IMHO that's not a good idea. The passwd and group files should be regenerated at this point to get a stable, well-defined state, and then you can re-add any local changes at your heart's content. YMMV, of course. I mistyped. If all that was really required was getting cyg_server in there then perhaps -u cyg_server should have been used. In any event I think you should point out that this will replace the current /etc/{passwd,group} -- Andrew DeFaria http://defaria.com What was the best thing before sliced bread? -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: ssh problem using publickey in domain environment
On 02/24/2010 05:13 AM, Corinna Vinschen wrote: On Feb 23 12:35, Larry Hall (Cygwin) wrote: On 02/23/2010 12:01 PM, Jukka Inkeri wrote: If your server is member of domain, howto make users, sshd, (which order) ... without setuid problem when using publickey auth ? cyg_server and sshd - domain user or local or both, ??? In order for the SSH server to switch user context to a domain user, the service's user (cyg_server) must be a domain user with the rights outlined in 'ssh-host-config'. I'm not sure if it's a requirement that the 'sshd' user also be a domain user. I've never played with that. I added a FAQ entry lately: http://cygwin.com/faq/faq-nochunks.html#faq.using.sshd-in-domain Many thanks. :-) -- Larry Hall http://www.rfk.com RFK Partners, Inc. (508) 893-9779 - RFK Office 216 Dalton Rd. (508) 893-9889 - FAX Holliston, MA 01746 _ A: Yes. Q: Are you sure? A: Because it reverses the logical flow of conversation. Q: Why is top posting annoying in email? -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
ssh problem using publickey in domain environment
I have read this mailing list and many other good pages how to setup sshd in cygwin environment. I have installed many sshd cygwin servers, but last some servers I have been publickey auth problem. Basic model works fine, but in the domain environment has been some problems. Today I found some answer, but not all. If I have used ex. win2003 (or win2008r2) servers and those are member of domain and domain controller then ssh-host-config -y net start sshd works fine, you can use password or rsa publickey auth, no problem. cyg_server and sshd are domain users, works fine. But if your server is member of domain, but not domain controller, then publickey not work, setsuid problem. In this case server can use local and domain users. Controller use only domain users. Today I found dirty solution, I added also local user and it works fine also with publickey auth. cyg_server and sshd are local users and user is also local, works fine. But not using domain users ? mkpasswd -l ... mkpasswd -d domain ... Why it works if your server is domain controller, but not if you have only member of domain ? - setting priviledges ? ex. SeAssignPrimaryTokenPrivilege If your server is member of domain, howto make users, sshd, (which order) ... without setuid problem when using publickey auth ? cyg_server and sshd - domain user or local or both, ??? -jukka- -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: ssh problem using publickey in domain environment
On 02/23/2010 12:01 PM, Jukka Inkeri wrote: If your server is member of domain, howto make users, sshd, (which order) ... without setuid problem when using publickey auth ? cyg_server and sshd - domain user or local or both, ??? In order for the SSH server to switch user context to a domain user, the service's user (cyg_server) must be a domain user with the rights outlined in 'ssh-host-config'. I'm not sure if it's a requirement that the 'sshd' user also be a domain user. I've never played with that. -- Larry Hall http://www.rfk.com RFK Partners, Inc. (508) 893-9779 - RFK Office 216 Dalton Rd. (508) 893-9889 - FAX Holliston, MA 01746 _ A: Yes. Q: Are you sure? A: Because it reverses the logical flow of conversation. Q: Why is top posting annoying in email? -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple