This is the mail archive of the
mailing list for the Cygwin project.
Cygwin and ssh - password auth. problem
- From: Re Persina <r99990 at gmail dot com>
- To: cygwin at cygwin dot com
- Date: Fri, 4 Nov 2005 17:02:00 -0500
- Subject: Cygwin and ssh - password auth. problem
- References: <firstname.lastname@example.org>
I have cygwin running on a windows 2000 server, which is also a PDC.
I setup sshd in cygwin and I've been using it for some time to login
as administrator, both using the password and using public-key auth,
and it has been working great. I now need to have a regular user (a
member of the Domain User group) login using ssh. I'll call this user
"user1". I created the user in active directory, and synced cygwin's
passwd file with "mkpasswd -d > /etc/passwd". However, this does not
allow me to login over ssh as my new user, using the password I set.
I try to ssh to the server as the user and I enter the password when
I am prompted by ssh, but it does not accept it; I get "Permission
denied, please try again.". I checked the windows event log, and it
says: "...sshd: PID:2588: Failed password for user1 from 10.0.0.2...".
If I upload my public key to ~user1/.ssh/authorized_keys, I can login.
I understand that is because ssh pub-key auth bypasses windows auth
altogether. Unfortunately, I cannot use pub-key auth for this
The only way I've found to make password-auth work, is to add the
user to the Administrators group. As soon as I do that, I can
successfully ssh to the server and succesfully login with the "user1"
user and its password. Then as soon as I remove the user from the
Administrators group, I can no longer login over ssh. Actually I've
found that adding this user to one of a variety of elevated-privledge
groups will allow him to login. Making the user a member of any one
of: "Server Operators", "Backup Operators", or "Domain Admin" will
allow the user to login over ssh with his password. The problem is
this user cannot have special permissions; he needs to be a standard
user/ Domain User. I tried making him a member of the local Users
group, but that had no effect.
From the research I've done so far, I haven't found any good reason
why this shouldn't work. There should be a way to allow this user to
login with his password without him needing elevated privledges, yes?
Can someone please point me in the right direction?
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html