This is the mail archive of the
mailing list for the Cygwin project.
Re: Passwordless login with ssh
- From: Corinna Vinschen <corinna-cygwin at cygwin dot com>
- To: cygwin at cygwin dot com
- Date: Thu, 16 Oct 2003 10:12:08 +0200
- Subject: Re: Passwordless login with ssh
- References: <email@example.com>
- Reply-to: cygwin at cygwin dot com
On Wed, Oct 15, 2003 at 04:51:58PM -0700, Andrew DeFaria wrote:
> Sorry, I searched the list and did not get a definitive answer. What I'm
> trying to do is to secure things up a little bit around here. I would
> like to use ssh. But I also want to allow valid users to ssh <remove>
> <command> without being prompted for a password. I'm not sure this is
> Reading from openssh-3.7.1p2-1.README I see
> Authentication to sshd is possible in one of two ways. You'll have
> to decide before starting sshd!
> - If you want to authenticate via RSA and you want to login to that
> machine to exactly one user account you can do so by running sshd
> under that user account. You must change /etc/sshd_config to contain
> the following:
> RSAAuthentication yes
> Moreover it's possible to use rhosts and/or rhosts with RSA
> authentication by setting the following in sshd_config:
> RhostsAuthentication yes
> RhostsRSAAuthentication yes
> Seems to me that the above says I can only use RSA Authentication IFF
> I'm only want to allow one username to be able to login. Or
You missed the part under "Important change since 2.9p2":
"Since Cygwin is able to switch user context without password beginning
with version 1.3.2, OpenSSH now allows to do so when it's running under
a version >= 1.3.2. Keep in mind that `ntsec' has to be activated to
allow that feature."
This is a bit too brief, I admit. Actually, the account who may switch
user context without password needs "create a token object" privilege.
This is by default only the SYSTEM user. So, running sshd under SYSTEM
account gives you what you want. Except on 2003 Server. There you'll
have to create a new account (say "sshd_srv", *not* "sshd") which is
part of the admins group and has the appropriate extra privileges
"Create a token object"
"Replace process level token"
"Logon as a service"
> The system account does of course own that user rights by default.
> Unfortunately, if you choose that way, you can only logon with NT
> password authentification and you should change /etc/sshd_config to
> contain the following:
Yeah, should be rewritten.
> RhostsAuthentication no
Ugh. Rhosts authentication is dropped entirerly since 3.7p1.
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Developer mailto:firstname.lastname@example.org
Red Hat, Inc.
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html