Can an unauthenticated user access //sambaserver/username via Windows? If not, that's the real problem. You'll have to use password authentication unless you change the access. I'd be surprised if your problem is driven by directory/file permission issues anyway, since you have StrictModes turned off. Fiddling with permissions when they aren't being checked isn't going to do much AFAICS.
Larry At 04:25 PM 10/24/2003, Hugh Brown you wrote: >I have Cygwin and OpenSSH set up on a number of Win2K machines. >Home directories for users are mounted via a FreeBSD-based Samba >server named Whistler. SSH to the Win2K machines works without any >problems *except* for key-based authentication where the >~/.ssh/authorized_keys file is in a Samba-mounted home directory. > >I found email from Brian Hayward >(http://sources.redhat.com/ml/cygwin/2003-10/msg00479.html) from a >couple of weeks ago, which seems pretty similar. However, when I >try the solution (running "setfacl -m u:system:r-- ~ ~/.ssh >~/.ssh/authorized_keys", where ~ is a Samba-mounted home directory), >I get an error message that says "Function not implemented." I >don't get this error message when I try it on a local home directoy, >like /home/administrator. (I've also tried appending keys in >authorized_keys2 to authorized_keys, without any more success.) > >I *have* been able to get key-based authentication to work if I set >up a home directory for the user on the Win2K machine. In other >words, I change the home directory listed in /etc/passwd from >"//sambaserver/username" to "/home/username", create the directory, >and copy over the user's .ssh directory. However, at this point >they no longer have access to their home directory, so it's less >than ideal. And for the record, password-based authentication works >without any problem at all. > >On the Samba server, some home directories are mounted via NFS from >other FreeBSD machines via amd, and some are on the machine itself; >this doesn't seem to make any difference -- key-based authentication >keeps failing. > >I thought it might be a problem with symlinks >(http://www.cygwin.com/faq/faq_4.html#SEC69). To test, I tried >setting my home directory in Cygwin's /etc/passwd to a temporary >directory on Whistler (one that was not mounted via AMD, and had >no symbolic links at all) and copying the >.ssh directory in there; it still didn't work. > >Here's the debug log from the ssh daemon when I try to log in: > >debug1: userauth-request for user hbrown service ssh-connection method publickey >debug1: attempt 1 failures 1 >debug2: input_userauth_request: try method publickey >debug1: test whether pkalg/pkblob are acceptable >debug3: mm_key_allowed entering >debug3: mm_request_send entering: type 20 >debug3: monitor_read: checking request 20 >debug3: mm_answer_keyallowed entering >debug3: mm_answer_keyallowed: key_from_blob: 0x100f4888 >debug1: temporarily_use_uid: 13044/545 (e=18/18) >debug1: trying public key file //whistler/hbrown/.ssh/authorized_keys >debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED >debug3: mm_request_receive_expect entering: type 21 >debug3: mm_request_receive entering >debug1: restore_uid: (unprivileged) >debug1: temporarily_use_uid: 13044/545 (e=18/18) >debug1: trying public key file //whistler/hbrown/.ssh/authorized_keys2 >debug1: restore_uid: (unprivileged) >debug3: mm_answer_keyallowed: key 0x100f4888 is disallowed >debug3: mm_request_send entering: type 21 >debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa >Failed publickey for hbrown from 192.168.0.80 port 2621 ssh2 > >Directory permissions for ~hbrown, listed in Cygwin: > > $ ls -ld .ssh > drwxr-xr-x 2 hbrown Users 0 Oct 23 13:31 .ssh > > $ ls -ld .ssh/authorized_keys* > -rw-r--r-- 1 hbrown Users 3894 Oct 23 16:08 .ssh/authorized_keys > -rw-r--r-- 1 hbrown Users 1221 Oct 23 15:55 .ssh/authorized_keys2 > >And the options in sshd_config that are not commented out: > >Port 22 >StrictModes no >UsePrivilegeSeparation yes >Subsystem sftp /usr/sbin/sftp-server > >Finally, I've attached the output of cygcheck -s -v -r. > >Thanks in advance for any help you can give me, and please let me >know if I've left anything out. > >-- >Hugh Brown >[EMAIL PROTECTED] > >-- >Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple >Problem reports: http://cygwin.com/problems.html >Documentation: http://cygwin.com/docs.html >FAQ: http://cygwin.com/faq/ -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
