This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Cygwin ssh and Windows authentication


Greetings, Jarek!

>>> So why are they not needed as your comment doesn't really explain that
>> Read 1.7.35 changelog.
>> In short, username resolution was completely reworked, thanks to Corinna, and
>> Cygwin now directly address domain controllers for it.
> OK so it addresses DCs to check some settings or priviliges. I don't 
> suppose it just asks 'hey DS, can contoso\johnd access sshd on server1?'

Indirectly, that can be done, i.e., by including a user in "SSH" group and
allow only "DOMAIN+SSH" group to authorize on server.

> to which the DC is like 'dude, what the heck is sshd?' :)

This is not that simple. The actual authentication is done by SSH itself in
this case. Same as on *NIX. For THIS (or, more precisely, to craft auth token
which IS THE "user" in terms of OS access control) it needs certain privileges.
The details are in documentation I linked earlier, the next question about
using public keys with SSH.

> I now have the cygwin service running in domain context so now I would
> somehow need to let the DC know whe is allowed to ssh to my server1.

By default, everyone will be allowed, and they will have only what rights they
have, as the actual access control is done by OS itself, once the user is
authenticated.

> My domain account, although in local admins on the server is now failing
> authentication when trying to ssh. Which gets us back to the question what
> do I need for a DC to authenticate me?

Nothing more than what is stated in the FAQ entry.
I suggest starting from a new Cygwin install (stop and remove installed Cygwin
services and rename your existing installation out of the way) and recheck the
results.
Verbose logging from both client and server may give some insight, too.

>>> and how exactly did I screwed up my setup if I can actually access the
>>> server with a domain user account no problem?
>> On that, I'm surprized.

> Maybe a bug then?
Depends, what exactly was the state. But I'm not concerned.
There's very few narrow use cases left for having passwd/group files around
that it is better to just get rid of them.
Because:

>> /etc/passwd/group has nothing to do with "access control".
>> The files were only used to convert Windows to Cygwin names (and supply other
>> Cygwin-specific information), on the presumption that there will never be too
>> much of it. This is now done on the fly, allowing to deploy Cygwin in large
>> domains.


-- 
With best regards,
Andrey Repin
Tuesday, July 21, 2015 23:27:07

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]