This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: Windows Guest Account Locked SSH
- From: "Larry Hall (Cygwin)" <reply-to-list-only-lh at cygwin dot com>
- To: cygwin at cygwin dot com
- Date: Wed, 06 Nov 2013 10:23:17 -0500
- Subject: Re: Windows Guest Account Locked SSH
- Authentication-results: sourceware.org; auth=none
- References: <3B5A3AEF8D16D1489ECFF9EB07DA0B99976FA34A at CBPDEXCHAS01 dot gmpnt dot rootdom dot gmp dot police dot cjx dot gov dot uk> <3B5A3AEF8D16D1489ECFF9EB07DA0B99976FA3B2 at CBPDEXCHAS01 dot gmpnt dot rootdom dot gmp dot police dot cjx dot gov dot uk> <3B5A3AEF8D16D1489ECFF9EB07DA0B99976FA3D4 at CBPDEXCHAS01 dot gmpnt dot rootdom dot gmp dot police dot cjx dot gov dot uk> <3B5A3AEF8D16D1489ECFF9EB07DA0B99976FA3EB at CBPDEXCHAS01 dot gmpnt dot rootdom dot gmp dot police dot cjx dot gov dot uk>
- Reply-to: cygwin at cygwin dot com
On 11/6/2013 5:26 AM, Jez.Noake@gmp.police.uk wrote:
I have a similar problem to this post:
http://cygwin.com/ml/cygwin/2012-06/msg00507.html
except that the version I am using is 1.7.25, downloaded relatively recently.
It seems that making an ssh connection to the CygWin host, using RSA
certificate to achieve passwordless connection, causes the SSHD service on
the host to perform an authentication using the account that the service is
hosted with ... but that it apparently does not qualify the account with a
domain (ie. the local machine) and apparently the assumption is that it
should be a DOMAIN account - there was no DOMAIN\CYG_SERVER account so it
fails and I assume it then tries DOMAIN\Guest as a fall-back, with the wrong
password and therefore locks out DOMAIN\Guest
So I created a DOMAIN\CYG_SERVER account with the same password as
<LOCALDOMAIN>\CYG_SERVER and presto!, SSH connections from my client with no
domain guest lockout.
I have googled to infinity and beyond and found only a few references to
this problem, and none of them suggest this or any other solution, merely
that you can try this and that (one relating to duplicated SID's - not the
reason)
<snip>
Can anyone specify a better solution than creating a matching domain account?
I can't help thinking that I have missed some configuration item that
would deal with this directly.
No, this is exactly the way to do it. ssh-host-config cannot create a
privileged domain account when run as any user from any machine so it
doesn't try to. If you need a domain user to be able to authenticate with
pubkey, you have to do what you did to make that work. The side effect
of locking the domain guest account is a new twist I hadn't heard of
before but then again, it is Windows we're talking about. ;-)
--
Larry
_____________________________________________________________________
A: Yes.
> Q: Are you sure?
>> A: Because it reverses the logical flow of conversation.
>>> Q: Why is top posting annoying in email?
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple