This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

RE: can't achieve password-less ssh authentication when my home directory is on a network file server


Thanks for the quick response.

>
> John,
>
> Please configure your mailer to wrap long lines.  Thanks.  More below.

Sorry about that. My mail anonymizer (Sneakemail) strips returns from
messages composed in its text body input box. You have reformatted the
message correctly.

>
> On Fri, 28 Feb 2004 ncokwqc02<at>sneakemail<dot>com wrote:
>
> > Here's the scenario:
> >
> > I have Cygwin installed and the OpenSSH daemon running on a PC (let's
> > call it 'Alpha') and I have an account in the Windows NT domain of which
> > 'Alpha' is a member. I log onto 'Alpha' and all the other workstations
> > in this domain with the same password. 'Alpha' can access its local disk
> > (the usual 'c:') as well as a network drive (accessible at
> > '//Filer/...').
> >
> > I also have Cygwin installed on another PC (let's call it 'Beta') and I
> > would like to achieve password-less 'ssh' access from 'Beta' to 'Alpha'.
> >
> > Both 'Alpha' and 'Beta' have 'rsa' public/private keys.
> >
> > I have no problem achieving my objective if 1) my home directory (as
> > specified in 'Alpha:/etc/passwd') is '/home/john', and 2)
> > 'Beta:/home/john/.ssh/known_hosts' includes the 'id_rsa.pub' file from
> > 'Alpha:/home/john/.ssh', and 3) 'Alpha:/home/john/.ssh/authorized_keys2'
> > includes the 'id_rsa.pub' file from 'Beta:/home/john/.ssh'. Note that
> > for both 'Alpha' and 'Beta', '/' is the Cygwin mount point for
> > 'c:/cygwin'. The only drawback to this procedure is that when I 'ssh'
> > from 'Beta' to 'Alpha' this way, **I CAN'T ACCESS** any files on
> > '//Filer'. Such access is critical for my application.
> >
> > On the other hand, if 1) my home directory (as specified in
> > 'Alpha:/etc/passwd') is on the network file server at
> > '//Filer/home/john', and 2) 'Beta:/home/john/.ssh/known_hosts' includes
> > the 'id_rsa.pub' file from '//Filer/home/john/.ssh', and 3)
> > '//Filer/home/john/.ssh/authorized_keys2' includes the 'id_rsa.pub' file
> > from 'Beta:/home/john/.ssh', then **I DO HAVE ACCESS** to the files on
> > '//Filer' as well as the local files on 'c:' (aka '/cygdrive/c'). The
> > only problem is that, in this case, the 'ssh' authentication process
> > asks me to enter my password each time.
> >
> > I don't understand why 'Alpha' and 'Beta' are interacting this way
> > because various other Linux and UNIX clients configured similarly are
> > able to achieve password-less access to 'Alpha' without any trouble.
> >
> > So my question is this: How do I modify the file(s) on 'Alpha' or on
> > '//Filer' to obtain password-less access from 'Beta' to 'Alpha' when the
> > password file on 'Alpha' says '//Filer/john' is my home directory?
> >
> > Any help would be appreciated.
> >
> > Thanks,
> > john
>
> Sorry, no can do[*].  This is the way Windows/Samba shares (and other
> authenticated mounts, e.g., DFS) works.  To access the directory, you need
> a valid token with a password, otherwise the remote machine won't trust
> it.  To find out that you allow passwordless authentication, you need to
> access the directory, which you can't without a password.  FWIW, I ran
> into the same problem on AIX (with DFS).
>

I had read lots of previous posts on this topic and should have realized the
futility of the endeavor. I guess that when I found that setting the HOME
directory in '/etc/passwd' to a directory on the remote drive made it
possible to ssh into 'Alpha' and still have simultaneous access to the local
and remote drives, I thought the objective of password-less ssh access might
be simultaneously achievable.

> [*] I can think of a couple of things to try, but don't think either will
> work too well:
> - If you have control over the //Filer share, you might try to make the
> share public (i.e., accessible to anyone).  I'd say that this cure is
> worse than the disease, though...

No way I can do that.

> - Create a local home directory (e.g. /home/john); mount the remote
> directory (//Filer) onto it; then mount c:\cygwin\home\john\.ssh onto
> /home/john/.ssh.

I want to make sure I understand your suggestion. Does it amount to doing
the following on 'Alpha'?
	mkdir /home/john
	mount //Filer/john /home/john
	mount c:\cygwin\home\john\.ssh /home/john/.ssh

In this case my home directory is at '//Filer/john'.

> In theory, this should allow you to keep a local (and
> therefore accessible without a password) copy of the .ssh directory, while
> the rest of your files are on the Samba share.  The caveat, of course, is
> that you won't be able to access the remote .ssh directory, if there is
> one.  Also, make sure the mounts are all system mounts, so sshd can pick
> them up.
>
> Please let us know if either works for you.
> 	Igor
> --
> 				http://cs.nyu.edu/~pechtcha/
>       |\      _,,,---,,_		pechtcha@cs.nyu.edu
> ZZZzz /,`.-'`'    -.  ;-;;,_		igor@watson.ibm.com
>      |,4-  ) )-,_. ,\ (  `'-'		Igor Pechtchanski, Ph.D.
>     '---''(_/--'  `-'\_) fL	a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!
>
> "I have since come to realize that being between your mentor and his route
> to the bathroom is a major career booster."  -- Patrick Naughton
>

BTW, on a related, but slightly different topic, I didn't even get to this
point until I solved the problem of 'cygrunsrv -S sshd' resulting in 'Error
1062'. Thank goodness for 'log' files! When I finally looked at
'/var/log/sshd.log' I saw it filled with repetitions of the message
	"/var/empty must be owned by root and not group or world-writable."
Indeed '/var/empty' was owned by 'john:Users'. After I changed it to
'SYSTEM:root', I was able to start 'sshd'. I don't understand why the
'/var/empty' directory created by '/bin/ssh-host-config' didn't have the
right ownership. But it didn't.


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]