Cygwin ssh and Windows authentication

Andrey Repin
Wed Jul 22 21:50:00 GMT 2015

Greetings, Jarek!

>>>>> So why are they not needed as your comment doesn't really explain that
>>>> Read 1.7.35 changelog.
>>>> In short, username resolution was completely reworked, thanks to Corinna, and
>>>> Cygwin now directly address domain controllers for it.
>>> OK so it addresses DCs to check some settings or priviliges. I don't
>>> suppose it just asks 'hey DS, can contoso\johnd access sshd on server1?'
>> Indirectly, that can be done, i.e., by including a user in "SSH" group and
>> allow only "DOMAIN+SSH" group to authorize on server.
> I assume the group name is arbitrary and can be named anything.

Of course. I have a generic "RemoteUsers" group for all users that allowed
remote access (VPN, SSH, etc.)

> I went thrugh local rights on my sshserver and I see the Everyone, and 
> Users local groups have Allow to access this computer via network.
> I take it the 'Act as part of the OS','Create a token object' and 
> 'Replace a process level token' rights are only for the account running 
> the sshd service.

Yes, these are only used by service itself, and not propagated to the users

>> Verbose logging from both client and server may give some insight, too.

> Here is what I get from the logs on the client when attempting to 
> connect with WinSCP

Try using only username to login. Without domain prefix.
And disable other auth mechanics, while you are testing namely I see it trying
GSSAPI, which wouldn't work unless explicitly configured and allowed.

Please attach long listings as files or provide links to pastebin service of
your choice.

With best regards,
Andrey Repin
Thursday, July 23, 2015 00:42:20

Sorry for my terrible english...

Problem reports:
Unsubscribe info:

More information about the Cygwin mailing list