Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sources.redhat.com/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
X-Injected-Via-Gmane:	http://gmane.org/
To:	cygwin AT cygwin DOT com
From:	Andrew DeFaria <Andrew AT DeFaria DOT com>
Subject:	Re: Passwordless login with ssh
Date:	Thu, 16 Oct 2003 07:55:25 -0700
Lines:	128
Message-ID:	<bmmbha$43f$1@sea.gmane.org>
References:	<bmkmdl$82i$1 AT sea DOT gmane DOT org> <20031016081208 DOT GB28997 AT cygbert DOT vinschen DOT de>
Mime-Version:	1.0
X-Complaints-To:	usenet AT sea DOT gmane DOT org
User-Agent:	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
X-Accept-Language:	en,ru
In-Reply-To:	<20031016081208.GB28997@cygbert.vinschen.de>

Corinna Vinschen wrote:

> On Wed, Oct 15, 2003 at 04:51:58PM -0700, Andrew DeFaria wrote:
>
>> Sorry, I searched the list and did not get a definitive answer. What 
>> I'm trying to do is to secure things up a little bit around here. I 
>> would like to use ssh. But I also want to allow valid users to ssh 
>> <remove> <command> without being prompted for a password. I'm not 
>> sure this is doable.
>>
>> Reading from openssh-3.7.1p2-1.README I see
>>
>> Authentication to sshd is possible in one of two ways. You'll have to 
>> decide before starting sshd!
>>
>> - If you want to authenticate via RSA and you want to login to that 
>> machine to exactly one user account you can do so by running sshd 
>> under that user account. You must change /etc/sshd_config to contain 
>> the following:
>>
>> RSAAuthentication yes
>>
>> Moreover it's possible to use rhosts and/or rhosts with RSA 
>> authentication by setting the following in sshd_config:
>>
>> RhostsAuthentication yes
>> RhostsRSAAuthentication yes
>>
>> Seems to me that the above says I can only use RSA Authentication IFF 
>> I'm only want to allow one username to be able to login. Or
>
> You missed the part under "Important change since 2.9p2":
>
> "Since Cygwin is able to switch user context without password 
> beginning with version 1.3.2, OpenSSH now allows to do so when it's 
> running under a version >= 1.3.2. Keep in mind that `ntsec' has to be 
> activated to allow that feature."

No I saw that part too however it just seemed more confusing to me.

> This is a bit too brief, I admit. Actually, the account who may switch 
> user context without password needs "create a token object" privilege. 
> This is by default only the SYSTEM user. So, running sshd under SYSTEM 
> account gives you what you want. 

I currently have sshd running correctly as a service. I can log in as 
any user however right now I need to specify my password:

$ ssh starbase id
Andrew AT starbase's password:
uid=1003(Andrew) gid=513(DeFaria) 
groups=513(DeFaria),544(Administrators),545(Users)

Now from what I see I need to run ssh-user-config to generate the 
neccessary keys for passwordless login:

$ ssh-user-config
/home/Andrew DeFaria
/home/Andrew DeFaria is set in /etc/passwd as your home directory
but it is not a valid directory. Cannot create user identity files.

Ugh! Seems ssh-user-config doesn't support directories with spaces in 
them! (Would it be hard/impossible to support this?) Let me demonstrate 
my problem at work where I have a home directory without a space.

$ ssh adefaria id
adefaria AT adefaria's password:
uid=1370(adefaria) gid=513(Domain Users) 
groups=1834(clearcase),512(Domain Admins),513(Domain 
Users),2637(Employees-US-Security),1170(Everybody),1331(Software),1866(Software-US-Security)

Same situation. I can use ssh for any user but I must enter a password. 
Now for ssh-user-config:

$ ssh-user-config
Shall I create an SSH1 RSA identity file for you? (yes/no) yes
Generating /us/adefaria/.ssh/identity
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Do you want to use this identity to login to this machine? (yes/no) yes
Adding to /us/adefaria/.ssh/authorized_keys
Shall I create an SSH2 RSA identity file for you? (yes/no)  (yes/no) yes
Generating /us/adefaria/.ssh/id_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Do you want to use this identity to login to this machine? (yes/no) yes
Adding to /us/adefaria/.ssh/authorized_keys
Shall I create an SSH2 DSA identity file for you? (yes/no)  (yes/no) yes
Generating /us/adefaria/.ssh/id_dsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Do you want to use this identity to login to this machine? (yes/no) yes
Adding to /us/adefaria/.ssh/authorized_keys

Configuration finished. Have fun!

$ ssh adefaria id
adefaria AT adefaria's password:
uid=1370(adefaria) gid=513(Domain Users) 
groups=1834(clearcase),512(Domain Admins),513(Domain 
Users),2637(Employees-US-Security),1170(Everybody),1331(Software),1866(Software-US-Security)

As you can see ssh-user-config did not change the need to enter my 
password for ssh.

> Except on 2003 Server. There you'll have to create a new account (say 
> "sshd_srv", *not* "sshd") which is part of the admins group and has 
> the appropriate extra privileges
>
> "Create a token object"
> "Replace process level token"
> "Increase quotas"
> "Logon as a service"
>
>> The system account does of course own that user rights by default.
>>
>> Unfortunately, if you choose that way, you can only logon with NT 
>> password authentification and you should change /etc/sshd_config to 
>> contain the following:
>
> Yeah, should be rewritten.
>
>> RhostsAuthentication no
>
> Ugh. Rhosts authentication is dropped entirerly since 3.7p1.
>
> Corinna



--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

- Raw text -