Cygwin ssh and Windows authentication

Jarek yaro_29@hotmail.com
Sun Aug 2 12:47:00 GMT 2015



On 2015-07-22 23:46, Andrey Repin wrote:
> Greetings, Jarek!
>
>>>>>> So why are they not needed as your comment doesn't really explain that
>>>>> Read 1.7.35 changelog.
>>>>> In short, username resolution was completely reworked, thanks to Corinna, and
>>>>> Cygwin now directly address domain controllers for it.
>>>> OK so it addresses DCs to check some settings or priviliges. I don't
>>>> suppose it just asks 'hey DS, can contoso\johnd access sshd on server1?'
>>> Indirectly, that can be done, i.e., by including a user in "SSH" group and
>>> allow only "DOMAIN+SSH" group to authorize on server.
>> I assume the group name is arbitrary and can be named anything.
> Of course. I have a generic "RemoteUsers" group for all users that allowed
> remote access (VPN, SSH, etc.)
>
>> I went thrugh local rights on my sshserver and I see the Everyone, and
>> Users local groups have Allow to access this computer via network.
>> I take it the 'Act as part of the OS','Create a token object' and
>> 'Replace a process level token' rights are only for the account running
>> the sshd service.
> Yes, these are only used by service itself, and not propagated to the users
> connected.
>
>>> Verbose logging from both client and server may give some insight, too.
>> Here is what I get from the logs on the client when attempting to
>> connect with WinSCP
> Try using only username to login. Without domain prefix.
> And disable other auth mechanics, while you are testing namely I see it trying
> GSSAPI, which wouldn't work unless explicitly configured and allowed.
>
> Please attach long listings as files or provide links to pastebin service of
> your choice.
>
>
Hi Andrey,
Just for an update I deployed ssh access using the passwd file. I found 
it works fine as long as the user connecting is a member of local 
admins. Otherwise users are not able to connect. Looks like this may be 
a bug after all.
Best,
Jarek

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple



More information about the Cygwin mailing list