This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: SUMMARY sort of: OpenSSH public key authentication woes


At 03:48 AM 4/28/2004, you wrote:
>On Wed, 28 Apr 2004 01:33 am, Larry Hall wrote:
>> At 11:21 AM 4/27/2004, you wrote:
>> >On Tue, 27 Apr 2004, Greg Rudd wrote:
>> >> On Tue, 27 Apr 2004 02:12 am, Karl M wrote:
>> >> > Hi Greg...
>> >> >
>> >> > Try setting your authorized_keys to 644 for now. If that doesn't work,
>> >> > take a look at the problem reporting section on the Cygwin web page.
>> >> > This list would need more information to help further.
>> >>
>> >> Doing the above does allow a local user to public key authenticate :-)
>> >> but when I try to do the same thing with a domain user public key still
>> >> fails but what is interesting is when I try to set the acl's for the
>> >> .ssh directory to be the same as the local users the setfacl command
>> >> fails with a error message setfacl function not implemented.  I notice
>> >> that this message comes up when the ssh-user-config command is run for
>> >> the first time.
>> >>
>> >> Is this error message occuring because the domain users home directory
>> >> is mapped to a unc (which in this case is //machine/grudd) instead of a
>> >> path name in the form of "/home/grudd"
>> >
>> >Most likely.  Add "smbntsec" to your CYGWIN environment variable.  Also,
>> >you can hide the fact that it's on a remote machine by using "mount -s
>> >//machine/grudd /home/grudd".
>> >HTH,
>> >    Igor
>>
>Thanks Igor works like a charm.
>
>> But (anticipating the next question) the domain user won't be able to see
>> your share through ssh and pubkey authentication unless it doesn't require
>> Windows authentication to access it (i.e. it's accessible by "Everyone").
>>
>Hi Larry 
>
>Correct me if I am wrong, but what you are infact saying is that a domain user 
>( who when using password authentication is authenticating against a 
>PDC/Active Directory Server) whose home directory is mapped to a unc  won't 
>be able to use publickey without making their home directory open to all ( 
>this a bad thing). So the way forward here would be to define the user as a 
>local user to the machine and have their home directory mapped to the unc.


Actually, you're saying more than I did.  I was saying pubkey authentication
won't work for "non-public" shares.  With some experimentation prompted by
your reply, I've found that setting "smbntsec" in the CYGWIN environment 
variable passed as a parameter to the sshd service, I can use pubkey 
authentication with some "non-public" shares (share of a local directory 
when sshing to the local machine) but not others (share of a remote directory
when sshing to the local machine).  I don't believe that mounting is of any
significance.  In my tests, I tried it both ways (when mounting I used 
'system') and the results were not affected.  These tests were not 
exhaustive.  I also believe that the working case I found is "uninteresting" 
and expected since I'm sshing to the same machine that's providing the share 
and I'm logged into that machine as an authenticated Windows domain user.  
That's not true for the remote share I tested.  So, AFAICT, my original 
statement is still at least a good "rule of thumb", unless you
have a specific example that you'd like to share (no pun intended) that 
indicates otherwise.  If that's the case, please provide details.


>Also it is interesting to look at the debug messages from the sshd when the 
>local user logs in using publickey the public key is read without any problem 
>but the debug messages from the ssh daemon when the domain user logs in 
>recognizes the existence of the key but refuses to accept it.


Right.  I'd expect this to be the case.


--
Larry Hall                              http://www.rfk.com
RFK Partners, Inc.                      (508) 893-9779 - RFK Office
838 Washington Street                   (508) 893-9889 - FAX
Holliston, MA 01746                     


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]