X-Recipient: archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status: No, hits=1.0 required=5.0 	tests=AWL,BAYES_20,SARE_MSGID_LONG40
X-Spam-Check-By: sourceware.org
Message-ID: <096385baeda76b4b83f591937a5e50b1f5f81434@localhost>
Date: Tue, 23 Feb 2010 19:01:38 +0200
From: Jukka Inkeri <cygwin AT awot DOT fi>
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: ssh problem using publickey in domain environment
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

I have read this mailing list and many other good pages how to setup 
sshd in cygwin environment. I have installed many sshd cygwin servers, 
but last some servers I have been publickey auth problem.

Basic model works fine, but in the domain environment has been some 
problems. Today I found some answer, but not all.

If I have used ex. win2003 (or win2008r2) servers and those are member 
of domain and domain controller then
    ssh-host-config -y
    net start sshd
works fine, you can use password or rsa publickey auth, no problem.
cyg_server and sshd are domain users, works fine.

But if your server is member of domain, but not domain controller, then 
publickey not work, setsuid problem. In this case server can use local 
and domain users. Controller use only domain users.

Today I found "dirty" solution, I added also local user and it works 
fine also with publickey auth. cyg_server and sshd are local users and 
user is also local, works fine. But not using domain users ?
    mkpasswd -l ...
    mkpasswd -d domain ...

Why it works if your server is domain controller, but not if you have 
only member of domain ?
- setting priviledges ? ex. SeAssignPrimaryTokenPrivilege

If your server is member of domain, howto make users, sshd, (which 
order) ... without setuid problem when using publickey auth ? cyg_server 
and sshd - domain user or local or both, ???


-jukka-


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple