This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Windows Guest Account Locked SSH

From: <Jez dot Noake at gmp dot police dot uk>
To: <cygwin at cygwin dot com>
Date: Wed, 6 Nov 2013 10:26:17 +0000
Subject: Windows Guest Account Locked SSH
Authentication-results: sourceware.org; auth=none
References: <3B5A3AEF8D16D1489ECFF9EB07DA0B99976FA34A at CBPDEXCHAS01 dot gmpnt dot rootdom dot gmp dot police dot cjx dot gov dot uk> <3B5A3AEF8D16D1489ECFF9EB07DA0B99976FA3B2 at CBPDEXCHAS01 dot gmpnt dot rootdom dot gmp dot police dot cjx dot gov dot uk> <3B5A3AEF8D16D1489ECFF9EB07DA0B99976FA3D4 at CBPDEXCHAS01 dot gmpnt dot rootdom dot gmp dot police dot cjx dot gov dot uk>

I have a similar problem to this post:
http://cygwin.com/ml/cygwin/2012-06/msg00507.html

except that the version I am using is 1.7.25, downloaded relatively recently.

It seems that making an ssh connection to the CygWin host, using RSA certificate to achieve passwordless connection, causes the SSHD service on the host to perform an authentication using the account that the service is hosted with ... but that it apparently does not qualify the account with a domain (ie. the local machine) and apparently the assumption is that it should be a DOMAIN account - there was no DOMAIN\CYG_SERVER account so it fails and I assume it then tries DOMAIN\Guest as a fall-back, with the wrong password and therefore locks out DOMAIN\Guest

So I created a DOMAIN\CYG_SERVER account with the same password as <LOCALDOMAIN>\CYG_SERVER and presto!, SSH connections from my client with no domain guest lockout.

I have googled to infinity and beyond and found only a few references to this problem, and none of them suggest this or any other solution, merely that you can try this and that (one relating to duplicated SID's - not the reason)

I have tried to attach the sanitized output of cygcheck -s -v -r > cygcheck.out
as suggested and copies of the ssh config files, but Cygwin mailserver sees the mail as spam?!

The SSH configs on both the host and client have been modified to eliminate any passworded/ Kerberos/GSSAPI options leaving just the publickey authentication.

Can anyone specify a better solution than creating a matching domain account?

I can't help thinking that I have missed some configuration item that would deal with this directly.



To contact the police in an emergency call 999 or to contact Greater Manchester Police for a less urgent matter call 101.
For the latest news and information about your Neighbourhood Policing Team visit www.gmp.police.uk. You can also follow us on Twitter: www.twitter.com/gmpolice or find us on Facebook: www.facebook.com/GtrManchesterPolice , Flickr: www.flickr.com/gmpolice or YouTube: www.youtube.com/gmpolice


This e mail carries a disclaimer, a copy of which may be read at:
	
http://www.gmp.police.uk/emaildisclaimer

Attachment: cygcheck.out
Description: cygcheck.out

Attachment: ssh_config.txt
Description: ssh_config.txt

Attachment: sshd_config.txt
Description: sshd_config.txt

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Follow-Ups:
- Re: Windows Guest Account Locked SSH
  - From: Adam Dinwoodie
- Re: Windows Guest Account Locked SSH
  - From: Larry Hall (Cygwin)
- Re: Windows Guest Account Locked SSH
  - From: Christopher Faylor

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]