On Jun 25 20:06, Achim Gratz wrote:
> Corinna Vinschen writes:
> > You read my preliminary doc, I hope? I attached it again, for
> > completeness. But, here's what happens:
>
> I guess I read it at one time, but not specifically today. :-)
>
> > If you're in a domain, and the sshd user account is local, the local
> > sshd account will be prefixed with the local machine name, like this:
> >
> > MACHINE+sshd
> >
> > OpenSSH's sshd looks for an account called "sshd", so in the above
> > scenario, it will fail to find sshd. There are three workarounds:
>
> The fourth:
>
> mkpasswd -l | awk '/sshd:/{gsub("^[^+]*\\+", "");print;}' >> /etc/passwdI was specificially talking about workarounds *not* involving to generate an /etc/passwd entry. > > - Switch off privilege separation in /etc/sshd_config. > > Not going to do that if I can help it. Doesn't work as intended anyway due to the lack of descriptor passing in Cygwin. I never use it if I can help it. > > - Create an unprivileged "sshd" user in your primary domain. Since > > this account is unprefixed by default, sshd will find the user > > account and happily use it. > > That might actually be the best idea since the account doesn't need any > privileges at all. I'll have to ask our domain admins. It's a good thing in the long run since you never have to care for the sshd account for all machines in the same domain. > > - Build your own OpenSSH package with the following patch applied: > > With the workarounds available, I'm not trying. > > > I have not the faintest idea how to get Kerberos auth working with > > OpenSSH, sorry. The problem in case of using the AD stuff might be > > related to the username prefixing. Kerberos probably doesn't understand > > the prefix separator char (the '+' sign by default). > > At the moment the problem seems to be that some part of the necessary > config is missing. I'm getting into the right realm, but then things > fall apart. > > >> Putting the public keys elsewhere would also work, > >> but it isn't clear to me how to configure that. > > N.B.: This can be done in /etc/sshd_config with an absolute path and > judicious use of the %u token. Doesn't help though, since after logging > in via public key the user doesn't have an LDAP ticket and is thus > unable to have the home share mounted. This appeared to work during the > initial test since the server still had a ticket cached from a previous > RDP session. This is what method 3 is for, as described in the below link. > > Does it work better with the passwd -R method? > > > > https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd3 > > I didn't get it to work yet. I suppose that I need to somehow pass > "CYGWIN=ntsec" environment via cygrunserv? Huh? How long do you use Cygwin again? The ntsec option has gone with Cygwin 1.7 ages ago. That's what the user's guide is for... https://cygwin.com/cygwin-ug-net/using-cygwinenv.html#cygwinenv-removed-options Just run cygserver and every user can do it, otherwise enter the password for the user with `passwd -R <username>' as admin. > My initial config had CYGWIN > empty, which probably means I'll have to re-install the service. No. > BTW, > I#ve managed to gothrough some SID until I've had a working config, is > there any way to reset this counter when deleting a user? No. > Do I read this correctly that the password itself gets stored and not an > NTLM(v2) hash? No. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat
pgpj34J2ySG_O.pgp
Description: PGP signature
