This is the mail archive of the
mailing list for the Cygwin project.
Re: Cygwin ssh and Windows authentication
- From: Jarek <yaro_29 at hotmail dot com>
- To: cygwin at cygwin dot com
- Date: Fri, 24 Jul 2015 21:05:10 +0200
- Subject: Re: Cygwin ssh and Windows authentication
- Authentication-results: sourceware.org; auth=none
- References: <BLU436-SMTP39AE7DD48809E802CE4DAE9E860 at phx dot gbl> <1301881165 dot 20150720013859 at yandex dot ru> <BLU436-SMTP217DCBDBFA0EED5BC1ACFFB9E850 at phx dot gbl> <1399485278 dot 20150721032532 at yandex dot ru> <BLU436-SMTP238C37DE9A243EA7E7F794F9E840 at phx dot gbl> <981419184 dot 20150721233655 at yandex dot ru> <BLU436-SMTP147434267174B49E8813BD49E830 at phx dot gbl> <341710545 dot 20150723004627 at yandex dot ru>
On 2015-07-22 23:46, Andrey Repin wrote:
So why are they not needed as your comment doesn't really explain that
Read 1.7.35 changelog.
In short, username resolution was completely reworked, thanks to Corinna, and
Cygwin now directly address domain controllers for it.
OK so it addresses DCs to check some settings or priviliges. I don't
suppose it just asks 'hey DS, can contoso\johnd access sshd on server1?'
Indirectly, that can be done, i.e., by including a user in "SSH" group and
allow only "DOMAIN+SSH" group to authorize on server.
I assume the group name is arbitrary and can be named anything.
Of course. I have a generic "RemoteUsers" group for all users that allowed
remote access (VPN, SSH, etc.)
I went thrugh local rights on my sshserver and I see the Everyone, and
Users local groups have Allow to access this computer via network.
I take it the 'Act as part of the OS','Create a token object' and
'Replace a process level token' rights are only for the account running
the sshd service.
Yes, these are only used by service itself, and not propagated to the users
Verbose logging from both client and server may give some insight, too.
Here is what I get from the logs on the client when attempting to
connect with WinSCP
Try using only username to login. Without domain prefix.
And disable other auth mechanics, while you are testing namely I see it trying
GSSAPI, which wouldn't work unless explicitly configured and allowed.
Please attach long listings as files or provide links to pastebin service of
As much as I don't like giving up, after lots of testing I found the
only way I can get a domain user to access my server is by creating the
/etc/passwd file and adding the users there. I don't understand the
workings behind this but at least it works. Thank you very much for your
help and patience. Due to tons of other things I have to work on now I
wont be persuing this further but hey, Microsoft are yet again working
on ssh. Maybe they suceed this time.
All the best.
Problem reports: http://cygwin.com/problems.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple