This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: LDAP integration and sshd


On Jun 25 20:06, Achim Gratz wrote:
> Corinna Vinschen writes:
> > You read my preliminary doc, I hope?  I attached it again, for
> > completeness.  But, here's what happens:
> 
> I guess I read it at one time, but not specifically today. :-)
> 
> > If you're in a domain, and the sshd user account is local, the local
> > sshd account will be prefixed with the local machine name, like this:
> >
> >   MACHINE+sshd
> >
> > OpenSSH's sshd looks for an account called "sshd", so in the above
> > scenario, it will fail to find sshd.  There are three workarounds:
> 
> The fourth:
> 
> mkpasswd -l | awk '/sshd:/{gsub("^[^+]*\\+", "");print;}' >> /etc/passwd

I was specificially talking about workarounds *not* involving to generate
an /etc/passwd entry.

> > - Switch off privilege separation in /etc/sshd_config.
> 
> Not going to do that if I can help it.

Doesn't work as intended anyway due to the lack of descriptor passing in
Cygwin.  I never use it if I can help it.

> > - Create an unprivileged "sshd" user in your primary domain.  Since
> >   this account is unprefixed by default, sshd will find the user
> >   account and happily use it.
> 
> That might actually be the best idea since the account doesn't need any
> privileges at all. I'll have to ask our domain admins.

It's a good thing in the long run since you never have to care for
the sshd account for all machines in the same domain.

> > - Build your own OpenSSH package with the following patch applied:
> 
> With the workarounds available, I'm not trying.
> 
> > I have not the faintest idea how to get Kerberos auth working with
> > OpenSSH, sorry.  The problem in case of using the AD stuff might be
> > related to the username prefixing.  Kerberos probably doesn't understand
> > the prefix separator char (the '+' sign by default).
> 
> At the moment the problem seems to be that some part of the necessary
> config is missing.  I'm getting into the right realm, but then things
> fall apart.
> 
> >> Putting the public keys elsewhere would also work,
> >> but it isn't clear to me how to configure that.
> 
> N.B.: This can be done in /etc/sshd_config with an absolute path and
> judicious use of the %u token.  Doesn't help though, since after logging
> in via public key the user doesn't have an LDAP ticket and is thus
> unable to have the home share mounted.  This appeared to work during the
> initial test since the server still had a ticket cached from a previous
> RDP session.

This is what method 3 is for, as described in the below link.

> > Does it work better with the passwd -R method?
> >
> >   https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd3
> 
> I didn't get it to work yet.  I suppose that I need to somehow pass
> "CYGWIN=ntsec" environment via cygrunserv?

Huh?  How long do you use Cygwin again?  The ntsec option has gone
with Cygwin 1.7 ages ago.  That's what the user's guide is for...

 https://cygwin.com/cygwin-ug-net/using-cygwinenv.html#cygwinenv-removed-options

Just run cygserver and every user can do it, otherwise enter the
password for the user with `passwd -R <username>' as admin.

> My initial config had CYGWIN
> empty, which probably means I'll have to re-install the service.

No.

> BTW,
> I#ve managed to gothrough some SID until I've had a working config, is
> there any way to reset this counter when deleting a user?

No.

> Do I read this correctly that the password itself gets stored and not an
> NTLM(v2) hash?

No.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

Attachment: pgpvMQYrBhBc7.pgp
Description: PGP signature


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]