LDAP integration and sshd
Corinna Vinschen
corinna-cygwin@cygwin.com
Wed Jun 25 18:25:00 GMT 2014
On Jun 25 20:06, Achim Gratz wrote:
> Corinna Vinschen writes:
> > You read my preliminary doc, I hope? I attached it again, for
> > completeness. But, here's what happens:
>
> I guess I read it at one time, but not specifically today. :-)
>
> > If you're in a domain, and the sshd user account is local, the local
> > sshd account will be prefixed with the local machine name, like this:
> >
> > MACHINE+sshd
> >
> > OpenSSH's sshd looks for an account called "sshd", so in the above
> > scenario, it will fail to find sshd. There are three workarounds:
>
> The fourth:
>
> mkpasswd -l | awk '/sshd:/{gsub("^[^+]*\\+", "");print;}' >> /etc/passwd
I was specificially talking about workarounds *not* involving to generate
an /etc/passwd entry.
> > - Switch off privilege separation in /etc/sshd_config.
>
> Not going to do that if I can help it.
Doesn't work as intended anyway due to the lack of descriptor passing in
Cygwin. I never use it if I can help it.
> > - Create an unprivileged "sshd" user in your primary domain. Since
> > this account is unprefixed by default, sshd will find the user
> > account and happily use it.
>
> That might actually be the best idea since the account doesn't need any
> privileges at all. I'll have to ask our domain admins.
It's a good thing in the long run since you never have to care for
the sshd account for all machines in the same domain.
> > - Build your own OpenSSH package with the following patch applied:
>
> With the workarounds available, I'm not trying.
>
> > I have not the faintest idea how to get Kerberos auth working with
> > OpenSSH, sorry. The problem in case of using the AD stuff might be
> > related to the username prefixing. Kerberos probably doesn't understand
> > the prefix separator char (the '+' sign by default).
>
> At the moment the problem seems to be that some part of the necessary
> config is missing. I'm getting into the right realm, but then things
> fall apart.
>
> >> Putting the public keys elsewhere would also work,
> >> but it isn't clear to me how to configure that.
>
> N.B.: This can be done in /etc/sshd_config with an absolute path and
> judicious use of the %u token. Doesn't help though, since after logging
> in via public key the user doesn't have an LDAP ticket and is thus
> unable to have the home share mounted. This appeared to work during the
> initial test since the server still had a ticket cached from a previous
> RDP session.
This is what method 3 is for, as described in the below link.
> > Does it work better with the passwd -R method?
> >
> > https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd3
>
> I didn't get it to work yet. I suppose that I need to somehow pass
> "CYGWIN=ntsec" environment via cygrunserv?
Huh? How long do you use Cygwin again? The ntsec option has gone
with Cygwin 1.7 ages ago. That's what the user's guide is for...
https://cygwin.com/cygwin-ug-net/using-cygwinenv.html#cygwinenv-removed-options
Just run cygserver and every user can do it, otherwise enter the
password for the user with `passwd -R <username>' as admin.
> My initial config had CYGWIN
> empty, which probably means I'll have to re-install the service.
No.
> BTW,
> I#ve managed to gothrough some SID until I've had a working config, is
> there any way to reset this counter when deleting a user?
No.
> Do I read this correctly that the password itself gets stored and not an
> NTLM(v2) hash?
No.
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Maintainer cygwin AT cygwin DOT com
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://cygwin.com/pipermail/cygwin/attachments/20140625/7abe2b50/attachment.sig>
More information about the Cygwin
mailing list