This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: Cygwin ssh and Windows authentication
- From: Andrey Repin <anrdaemon at yandex dot ru>
- To: Jarek <yaro_29 at hotmail dot com>, cygwin at cygwin dot com
- Date: Thu, 23 Jul 2015 00:46:27 +0300
- Subject: Re: Cygwin ssh and Windows authentication
- Authentication-results: sourceware.org; auth=none
- References: <BLU436-SMTP39AE7DD48809E802CE4DAE9E860 at phx dot gbl> <1301881165 dot 20150720013859 at yandex dot ru> <BLU436-SMTP217DCBDBFA0EED5BC1ACFFB9E850 at phx dot gbl> <1399485278 dot 20150721032532 at yandex dot ru> <BLU436-SMTP238C37DE9A243EA7E7F794F9E840 at phx dot gbl> <981419184 dot 20150721233655 at yandex dot ru> <BLU436-SMTP147434267174B49E8813BD49E830 at phx dot gbl>
- Reply-to: cygwin at cygwin dot com
Greetings, Jarek!
>>>>> So why are they not needed as your comment doesn't really explain that
>>>> Read 1.7.35 changelog.
>>>> In short, username resolution was completely reworked, thanks to Corinna, and
>>>> Cygwin now directly address domain controllers for it.
>>> OK so it addresses DCs to check some settings or priviliges. I don't
>>> suppose it just asks 'hey DS, can contoso\johnd access sshd on server1?'
>> Indirectly, that can be done, i.e., by including a user in "SSH" group and
>> allow only "DOMAIN+SSH" group to authorize on server.
> I assume the group name is arbitrary and can be named anything.
Of course. I have a generic "RemoteUsers" group for all users that allowed
remote access (VPN, SSH, etc.)
> I went thrugh local rights on my sshserver and I see the Everyone, and
> Users local groups have Allow to access this computer via network.
> I take it the 'Act as part of the OS','Create a token object' and
> 'Replace a process level token' rights are only for the account running
> the sshd service.
Yes, these are only used by service itself, and not propagated to the users
connected.
>> Verbose logging from both client and server may give some insight, too.
> Here is what I get from the logs on the client when attempting to
> connect with WinSCP
Try using only username to login. Without domain prefix.
And disable other auth mechanics, while you are testing namely I see it trying
GSSAPI, which wouldn't work unless explicitly configured and allowed.
Please attach long listings as files or provide links to pastebin service of
your choice.
--
With best regards,
Andrey Repin
Thursday, July 23, 2015 00:42:20
Sorry for my terrible english...
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple