Mail Archives: cygwin/2003/10/16/11:04:36
On Thu, 16 Oct 2003, Andrew DeFaria wrote:
> Corinna Vinschen wrote:
>
> > On Wed, Oct 15, 2003 at 04:51:58PM -0700, Andrew DeFaria wrote:
> >
> >> Sorry, I searched the list and did not get a definitive answer. What
> >> I'm trying to do is to secure things up a little bit around here. I
> >> would like to use ssh. But I also want to allow valid users to ssh
> >> <remove> <command> without being prompted for a password. I'm not
> >> sure this is doable.
> >>
> >> Reading from openssh-3.7.1p2-1.README I see
> >>
> >> Authentication to sshd is possible in one of two ways. You'll have to
> >> decide before starting sshd!
> >>
> >> - If you want to authenticate via RSA and you want to login to that
> >> machine to exactly one user account you can do so by running sshd
> >> under that user account. You must change /etc/sshd_config to contain
> >> the following:
> >>
> >> RSAAuthentication yes
> >>
> >> Moreover it's possible to use rhosts and/or rhosts with RSA
> >> authentication by setting the following in sshd_config:
> >>
> >> RhostsAuthentication yes
> >> RhostsRSAAuthentication yes
> >>
> >> Seems to me that the above says I can only use RSA Authentication IFF
> >> I'm only want to allow one username to be able to login. Or
> >
> > You missed the part under "Important change since 2.9p2":
> >
> > "Since Cygwin is able to switch user context without password
> > beginning with version 1.3.2, OpenSSH now allows to do so when it's
> > running under a version >= 1.3.2. Keep in mind that `ntsec' has to be
> > activated to allow that feature."
>
> No I saw that part too however it just seemed more confusing to me.
>
> > This is a bit too brief, I admit. Actually, the account who may switch
> > user context without password needs "create a token object" privilege.
> > This is by default only the SYSTEM user. So, running sshd under SYSTEM
> > account gives you what you want.
>
> I currently have sshd running correctly as a service. I can log in as
> any user however right now I need to specify my password:
>
> $ ssh starbase id
> Andrew AT starbase's password:
> uid=1003(Andrew) gid=513(DeFaria)
> groups=513(DeFaria),544(Administrators),545(Users)
>
> Now from what I see I need to run ssh-user-config to generate the
> neccessary keys for passwordless login:
>
> $ ssh-user-config
> /home/Andrew DeFaria
> /home/Andrew DeFaria is set in /etc/passwd as your home directory
> but it is not a valid directory. Cannot create user identity files.
>
> Ugh! Seems ssh-user-config doesn't support directories with spaces in
> them! (Would it be hard/impossible to support this?) Let me demonstrate
> my problem at work where I have a home directory without a space.
>
> $ ssh adefaria id
> adefaria AT adefaria's password:
> uid=1370(adefaria) gid=513(Domain Users)
> groups=1834(clearcase),512(Domain Admins),513(Domain
> Users),2637(Employees-US-Security),1170(Everybody),1331(Software),1866(Software-US-Security)
>
> Same situation. I can use ssh for any user but I must enter a password.
> Now for ssh-user-config:
>
> $ ssh-user-config
> Shall I create an SSH1 RSA identity file for you? (yes/no) yes
> Generating /us/adefaria/.ssh/identity
> Enter passphrase (empty for no passphrase):
> Enter same passphrase again:
> Do you want to use this identity to login to this machine? (yes/no) yes
> Adding to /us/adefaria/.ssh/authorized_keys
> Shall I create an SSH2 RSA identity file for you? (yes/no) (yes/no) yes
> Generating /us/adefaria/.ssh/id_rsa
> Enter passphrase (empty for no passphrase):
> Enter same passphrase again:
> Do you want to use this identity to login to this machine? (yes/no) yes
> Adding to /us/adefaria/.ssh/authorized_keys
> Shall I create an SSH2 DSA identity file for you? (yes/no) (yes/no) yes
> Generating /us/adefaria/.ssh/id_dsa
> Enter passphrase (empty for no passphrase):
> Enter same passphrase again:
> Do you want to use this identity to login to this machine? (yes/no) yes
> Adding to /us/adefaria/.ssh/authorized_keys
>
> Configuration finished. Have fun!
>
> $ ssh adefaria id
> adefaria AT adefaria's password:
> uid=1370(adefaria) gid=513(Domain Users)
> groups=1834(clearcase),512(Domain Admins),513(Domain Users),2637(Employees-US-Security),1170(Everybody),1331(Software),1866(Software-US-Security)
>
> As you can see ssh-user-config did not change the need to enter my
> password for ssh.
ssh -v (or -vvv) should tell you why the authorized_keys aren't accepted.
It's possible the permissions are too lax on them.
Igor
--
http://cs.nyu.edu/~pechtcha/
|\ _,,,---,,_ pechtcha AT cs DOT nyu DOT edu
ZZZzz /,`.-'`' -. ;-;;,_ igor AT watson DOT ibm DOT com
|,4- ) )-,_. ,\ ( `'-' Igor Pechtchanski, Ph.D.
'---''(_/--' `-'\_) fL a.k.a JaguaR-R-R-r-r-r-.-.-. Meow!
"I have since come to realize that being between your mentor and his route
to the bathroom is a major career booster." -- Patrick Naughton
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
- Raw text -