This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: LDAP integration and sshd

On Jun 25 20:06, Achim Gratz wrote:
> Corinna Vinschen writes:
> > You read my preliminary doc, I hope?  I attached it again, for
> > completeness.  But, here's what happens:
> I guess I read it at one time, but not specifically today. :-)
> > If you're in a domain, and the sshd user account is local, the local
> > sshd account will be prefixed with the local machine name, like this:
> >
> >   MACHINE+sshd
> >
> > OpenSSH's sshd looks for an account called "sshd", so in the above
> > scenario, it will fail to find sshd.  There are three workarounds:
> The fourth:
> mkpasswd -l | awk '/sshd:/{gsub("^[^+]*\\+", "");print;}' >> /etc/passwd

I was specificially talking about workarounds *not* involving to generate
an /etc/passwd entry.

> > - Switch off privilege separation in /etc/sshd_config.
> Not going to do that if I can help it.

Doesn't work as intended anyway due to the lack of descriptor passing in
Cygwin.  I never use it if I can help it.

> > - Create an unprivileged "sshd" user in your primary domain.  Since
> >   this account is unprefixed by default, sshd will find the user
> >   account and happily use it.
> That might actually be the best idea since the account doesn't need any
> privileges at all. I'll have to ask our domain admins.

It's a good thing in the long run since you never have to care for
the sshd account for all machines in the same domain.

> > - Build your own OpenSSH package with the following patch applied:
> With the workarounds available, I'm not trying.
> > I have not the faintest idea how to get Kerberos auth working with
> > OpenSSH, sorry.  The problem in case of using the AD stuff might be
> > related to the username prefixing.  Kerberos probably doesn't understand
> > the prefix separator char (the '+' sign by default).
> At the moment the problem seems to be that some part of the necessary
> config is missing.  I'm getting into the right realm, but then things
> fall apart.
> >> Putting the public keys elsewhere would also work,
> >> but it isn't clear to me how to configure that.
> N.B.: This can be done in /etc/sshd_config with an absolute path and
> judicious use of the %u token.  Doesn't help though, since after logging
> in via public key the user doesn't have an LDAP ticket and is thus
> unable to have the home share mounted.  This appeared to work during the
> initial test since the server still had a ticket cached from a previous
> RDP session.

This is what method 3 is for, as described in the below link.

> > Does it work better with the passwd -R method?
> >
> >
> I didn't get it to work yet.  I suppose that I need to somehow pass
> "CYGWIN=ntsec" environment via cygrunserv?

Huh?  How long do you use Cygwin again?  The ntsec option has gone
with Cygwin 1.7 ages ago.  That's what the user's guide is for...

Just run cygserver and every user can do it, otherwise enter the
password for the user with `passwd -R <username>' as admin.

> My initial config had CYGWIN
> empty, which probably means I'll have to re-install the service.


> BTW,
> I#ve managed to gothrough some SID until I've had a working config, is
> there any way to reset this counter when deleting a user?


> Do I read this correctly that the password itself gets stored and not an
> NTLM(v2) hash?



Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

Attachment: pgpvMQYrBhBc7.pgp
Description: PGP signature

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]