Hi again,
Has anyone got any idea on how to solve this? Do you know of *any*
Windows 2008 Server Standard Cygwin installation which is used as an
SSH-server where the users are able to login using a passwordless
public key? I'm beginning to suspect that it's just not possible with
this kind of Windows installation, which would be quite a problem.
Best and quite desperate regards,
Kent Larsson
2010/4/7 Kent Larsson <kent.lars...@euroling.se>:
> Hi,
>
> I'm having problems logging in to a Windows Server 2008 Standard
> machine using a password-less public key and I feel that I'm getting
> nowhere closer to solving it. Despite my attempts the log in always
> results in asking for my account password. Logging in using a password
> works well, but I really need to log in using my public.
>
> What I've done is:
> 1. Turing DEP off by: bcdedit.exe /set {current} nx AlwaysOff
> 2. Installing Cygwin
> 3. Execute /usr/bin/cyglsa-config to use "Switching the user context
> without password, Method 2: LSA authentication package" from
> http://cygwin.com/cygwin-ug-net/ntsec.html followed by a computer
> restart
> 4. Added the row "CYGWIN=binmode tty ntsec" (without ") to
> c:\cygwin\Cygwin.bat
> 5. Execute "ssh-host-config" choosing the defaults, I wrote "binmode
> tty ntsec" when asked for the CYGWIN contents
>
> After that, the system has been restarted numerous times. I also have
> "Cron deamon" running, under a domain account. But I don't think it
> affects the issue. I'm able to log in using a password, but not using
> a public key. Also the su command doesn't work, it asks me for a
> password when issuing it and always respons with "su: /bin/bash:
> Permission denied", that one might be related?
>
> Below are some output which might make it easier to know what's wrong
> divided into ** headlines **.
>
> Thank you for reading! I hope someone has a tip or two. Any help is
> greatly appreciated! :-)
>
> Best regards,
> Kent Larsson
>
> ** bcdedit.exe **
>
> C:\Users\netdevel>bcdedit.exe
>
> Windows Boot Manager
> --------------------
> identifier {bootmgr}
> device partition=C:
> description Windows Boot Manager
> locale en-US
> inherit {globalsettings}
> default {current}
> displayorder {current}
> toolsdisplayorder {memdiag}
> timeout 30
> resume No
>
> Windows Boot Loader
> -------------------
> identifier {current}
> device partition=C:
> path \Windows\system32\winload.exe
> description Microsoft Windows Server 2008
> locale en-US
> inherit {bootloadersettings}
> osdevice partition=C:
> systemroot \Windows
> resumeobject {13f36e53-1fe7-11df-8fce-99bbadfdd430}
> nx AlwaysOff
>
> ** The ssh-host-config script and some thoughts **
>
> /usr/share/doc/Cygwin/openssh.README says:
> 1. The user which runs the "CYGWIN sshd"-service should have the rights:
> a. "Create a token object"
> b. "Logon as a service"
> c. "Replace a process level token"
> d. "Increase Quota"
> 2. The "ssh-host-config" script asks you, if it should create such an
> account, called "sshd_server" with the correct (above) rights.
> 3. Note that ssh-user-config sets the permissions on 2003 Server
> machines dependent of whether a sshd_server account exists or not.
>
> I don't understand [3] above and [2] doesn't seem to be quite right
> any more? As far as I can tell, when I ran the script and an account
> named "cyg_server" was created. The "CYGWIN sshd"-service is running
> under the created account.
>
> By logging on to the server and "Start / Administrative Tools / Local
> Security Policy / Local Policies / User Rights Assignment" I'm able to
> verify that the "cyg_server" which runs the "CYGWIN sshd"-service has
> the 1a,1b,1c rights. But the 1d (Increase Quota) can not be found
> under "User Rights Assignment". The two who start with "Increase" are
> "Increase a process working set" and "Increase scheduling priority".
> Neither of which the "cyg_server" account is assigned.
>
> What's different from the README above is the account name, and maybe
> the lack of "Increase Quota" (I have no idea where I should be able to
> find it if not where I looked, and if it really is necessary).
>
> ** Cygwin version **
>
> $ uname -a
> CYGWIN_NT-6.0 kentl 1.7.1(0.218/5/3) 2009-12-07 11:48 i686 Cygwin
>
> ** Installed Cygwin packages **
>
> $ cygcheck -c
> Cygwin Package Information
> Package Version Status
> _update-info-dir 00871-1 OK
> alternatives 1.3.30c-10 OK
> arj 3.10.22-1 OK
> aspell 0.60.5-1 OK
> aspell-en 6.0.0-1 OK
> aspell-sv 0.50.2-2 OK
> autossh 1.4b-1 OK
> base-cygwin 2.1-1 OK
> base-files 3.9-3 OK
> base-passwd 3.1-1 OK
> bash 3.2.49-23 OK
> bash-completion 1.1-2 OK
> bc 1.06-2 OK
> bzip2 1.0.5-10 OK
> cabextract 1.1-1 OK
> compface 1.5.2-1 OK
> coreutils 7.0-2 OK
> cron 4.1-59 OK
> crypt 1.1-1 OK
> csih 0.9.1-1 OK
> curl 7.19.6-1 OK
> cvs 1.12.13-10 OK
> cvsutils 0.2.5-1 OK
> cygrunsrv 1.34-1 OK
> cygutils 1.4.2-1 OK
> cygwin 1.7.1-1 OK
> cygwin-doc 1.5-1 OK
> cygwin-x-doc 1.1.0-1 OK
> dash 0.5.5.1-2 OK
> diffutils 2.8.7-2 OK
> doxygen 1.6.1-2 OK
> e2fsprogs 1.35-3 OK
> editrights 1.01-2 OK
> emacs 23.1-10 OK
> emacs-X11 23.1-10 OK
> file 5.04-1 OK
> findutils 4.5.5-1 OK
> flip 1.19-1 OK
> font-adobe-dpi75 1.0.1-1 OK
> font-alias 1.0.2-1 OK
> font-encodings 1.0.3-1 OK
> font-misc-misc 1.1.0-1 OK
> fontconfig 2.8.0-1 OK
> gamin 0.1.10-10 OK
> gawk 3.1.7-1 OK
> gettext 0.17-11 OK
> gnome-icon-theme 2.28.0-1 OK
> grep 2.5.4-2 OK
> groff 1.19.2-2 OK
> gvim 7.2.264-1 OK
> gzip 1.3.12-2 OK
> hicolor-icon-theme 0.11-1 OK
> inetutils 1.5-6 OK
> ipc-utils 1.0-1 OK
> keychain 2.6.8-1 OK
> less 429-1 OK
> libaspell15 0.60.5-1 OK
> libatk1.0_0 1.28.0-1 OK
> libaudio2 1.9.2-1 OK
> libbz2_1 1.0.5-10 OK
> libcairo2 1.8.8-1 OK
> libcurl4 7.19.6-1 OK
> libdb4.2 4.2.52.5-2 OK
> libdb4.5 4.5.20.2-2 OK
> libexpat1 2.0.1-1 OK
> libfam0 0.1.10-10 OK
> libfontconfig1 2.8.0-1 OK
> libfontenc1 1.0.5-1 OK
> libfreetype6 2.3.12-1 OK
> libgcc1 4.3.4-3 OK
> libgdbm4 1.8.3-20 OK
> libgdk_pixbuf2.0_0 2.18.6-1 OK
> libgif4 4.1.6-10 OK
> libGL1 7.6.1-1 OK
> libglib2.0_0 2.22.4-2 OK
> libglitz1 0.5.6-10 OK
> libgmp3 4.3.1-3 OK
> libgtk2.0_0 2.18.6-1 OK
> libICE6 1.0.6-1 OK
> libiconv2 1.13.1-1 OK
> libidn11 1.16-1 OK
> libintl3 0.14.5-1 OK
> libintl8 0.17-11 OK
> libjasper1 1.900.1-1 OK
> libjbig2 2.0-11 OK
> libjpeg62 6b-21 OK
> libjpeg7 7-10 OK
> liblzma1 4.999.9beta-10 OK
> libncurses10 5.7-18 OK
> libncurses8 5.5-10 OK
> libncurses9 5.7-16 OK
> libopenldap2_3_0 2.3.43-1 OK
> libpango1.0_0 1.26.2-1 OK
> libpcre0 8.00-1 OK
> libpixman1_0 0.16.6-1 OK
> libpng12 1.2.35-10 OK
> libpopt0 1.6.4-4 OK
> libpq5 8.2.11-1 OK
> libreadline6 5.2.14-12 OK
> libreadline7 6.0.3-2 OK
> libsasl2 2.1.19-3 OK
> libSM6 1.1.1-1 OK
> libssh2_1 1.2.2-1 OK
> libssp0 4.3.4-3 OK
> libstdc++6 4.3.4-3 OK
> libtiff5 3.9.2-1 OK
> libwrap0 7.6-20 OK
> libX11_6 1.3.3-1 OK
> libXau6 1.0.5-1 OK
> libXaw3d7 1.5D-8 OK
> libXaw7 1.0.7-1 OK
> libxcb-render-util0 0.3.6-1 OK
> libxcb-render0 1.5-1 OK
> libxcb1 1.5-1 OK
> libXcomposite1 0.4.1-1 OK
> libXcursor1 1.1.10-1 OK
> libXdamage1 1.1.2-1 OK
> libXdmcp6 1.0.3-1 OK
> libXext6 1.1.1-1 OK
> libXfixes3 4.0.4-1 OK
> libXft2 2.1.14-1 OK
> libXi6 1.3-1 OK
> libXinerama1 1.1-1 OK
> libxkbfile1 1.0.6-1 OK
> libxml2 2.7.6-1 OK
> libXmu6 1.0.5-1 OK
> libXmuu1 1.0.5-1 OK
> libXpm4 3.5.8-1 OK
> libXrandr2 1.3.0-10 OK
> libXrender1 0.9.5-1 OK
> libXt6 1.0.7-1 OK
> links 1.00pre20-1 OK
> login 1.10-10 OK
> luit 1.0.5-1 OK
> lynx 2.8.5-4 OK
> man 1.6e-1 OK
> minires 1.02-1 OK
> mkfontdir 1.0.5-1 OK
> mkfontscale 1.0.7-1 OK
> openssh 5.4p1-1 OK
> openssl 0.9.8m-1 OK
> patch 2.5.8-9 OK
> patchutils 0.3.1-1 OK
> perl 5.10.1-3 OK
> rebase 3.0.1-1 OK
> run 1.1.12-11 OK
> screen 4.0.3-5 OK
> sed 4.1.5-2 OK
> shared-mime-info 0.70-1 OK
> tar 1.22.90-1 OK
> terminfo 5.7_20091114-13 OK
> terminfo0 5.5_20061104-11 OK
> texinfo 4.13-3 OK
> tidy 041206-1 OK
> time 1.7-2 OK
> tzcode 2009k-1 OK
> unzip 6.0-10 OK
> util-linux 2.14.1-1 OK
> vim 7.2.264-2 OK
> wget 1.11.4-4 OK
> which 2.20-2 OK
> wput 0.6.1-2 OK
> xauth 1.0.4-1 OK
> xclipboard 1.1.0-1 OK
> xcursor-themes 1.0.2-1 OK
> xemacs 21.4.22-1 OK
> xemacs-emacs-common 21.4.22-1 OK
> xemacs-sumo 2007-04-27-1 OK
> xemacs-tags 21.4.22-1 OK
> xeyes 1.1.0-1 OK
> xinit 1.2.1-1 OK
> xinput 1.5.0-1 OK
> xkbcomp 1.1.1-1 OK
> xkeyboard-config 1.8-1 OK
> xkill 1.0.2-1 OK
> xmodmap 1.0.4-1 OK
> xorg-docs 1.5-1 OK
> xorg-server 1.7.6-2 OK
> xrdb 1.0.6-1 OK
> xset 1.1.0-1 OK
> xterm 255-1 OK
> xz 4.999.9beta-10 OK
> zip 3.0-11 OK
> zlib 1.2.3-10 OK
> zlib-devel 1.2.3-10 OK
> zlib0 1.2.3-10 OK
>
> ** sshd_config **
>
> $ cat /etc/sshd_config | sed -e 's/^[ \t]\+//g' | egrep -v '^#|^[
> \t]*$' # Show all lines of importance (not a comment, nor blank)
> Port 22
> Protocol 2
> StrictModes no
> RSAAuthentication yes
> PubkeyAuthentication yes
> AuthorizedKeysFile .ssh/authorized_keys
> AllowAgentForwarding yes
> AllowTcpForwarding yes
> GatewayPorts yes
> X11Forwarding yes
> X11DisplayOffset 10
> X11UseLocalhost no
> TCPKeepAlive yes
> UsePrivilegeSeparation yes
> Subsystem sftp /usr/sbin/sftp-server
>
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
