Mail Archives: cygwin/2003/10/16/14:42:15
Are you entering a passphrase when you generate your keys? If so, try with
no passphrase.
Rob.
----- Original Message -----
From: "Andrew DeFaria" <Andrew AT DeFaria DOT com>
To: <cygwin AT cygwin DOT com>
Sent: Thursday, October 16, 2003 10:55 AM
Subject: Re: Passwordless login with ssh
> Corinna Vinschen wrote:
>
> > On Wed, Oct 15, 2003 at 04:51:58PM -0700, Andrew DeFaria wrote:
> >
> >> Sorry, I searched the list and did not get a definitive answer. What
> >> I'm trying to do is to secure things up a little bit around here. I
> >> would like to use ssh. But I also want to allow valid users to ssh
> >> <remove> <command> without being prompted for a password. I'm not
> >> sure this is doable.
> >>
> >> Reading from openssh-3.7.1p2-1.README I see
> >>
> >> Authentication to sshd is possible in one of two ways. You'll have to
> >> decide before starting sshd!
> >>
> >> - If you want to authenticate via RSA and you want to login to that
> >> machine to exactly one user account you can do so by running sshd
> >> under that user account. You must change /etc/sshd_config to contain
> >> the following:
> >>
> >> RSAAuthentication yes
> >>
> >> Moreover it's possible to use rhosts and/or rhosts with RSA
> >> authentication by setting the following in sshd_config:
> >>
> >> RhostsAuthentication yes
> >> RhostsRSAAuthentication yes
> >>
> >> Seems to me that the above says I can only use RSA Authentication IFF
> >> I'm only want to allow one username to be able to login. Or
> >
> > You missed the part under "Important change since 2.9p2":
> >
> > "Since Cygwin is able to switch user context without password
> > beginning with version 1.3.2, OpenSSH now allows to do so when it's
> > running under a version >= 1.3.2. Keep in mind that `ntsec' has to be
> > activated to allow that feature."
>
> No I saw that part too however it just seemed more confusing to me.
>
> > This is a bit too brief, I admit. Actually, the account who may switch
> > user context without password needs "create a token object" privilege.
> > This is by default only the SYSTEM user. So, running sshd under SYSTEM
> > account gives you what you want.
>
> I currently have sshd running correctly as a service. I can log in as
> any user however right now I need to specify my password:
>
> $ ssh starbase id
> Andrew AT starbase's password:
> uid=1003(Andrew) gid=513(DeFaria)
> groups=513(DeFaria),544(Administrators),545(Users)
>
> Now from what I see I need to run ssh-user-config to generate the
> neccessary keys for passwordless login:
>
> $ ssh-user-config
> /home/Andrew DeFaria
> /home/Andrew DeFaria is set in /etc/passwd as your home directory
> but it is not a valid directory. Cannot create user identity files.
>
> Ugh! Seems ssh-user-config doesn't support directories with spaces in
> them! (Would it be hard/impossible to support this?) Let me demonstrate
> my problem at work where I have a home directory without a space.
>
> $ ssh adefaria id
> adefaria AT adefaria's password:
> uid=1370(adefaria) gid=513(Domain Users)
> groups=1834(clearcase),512(Domain Admins),513(Domain
>
Users),2637(Employees-US-Security),1170(Everybody),1331(Software),1866(Softw
are-US-Security)
>
> Same situation. I can use ssh for any user but I must enter a password.
> Now for ssh-user-config:
>
> $ ssh-user-config
> Shall I create an SSH1 RSA identity file for you? (yes/no) yes
> Generating /us/adefaria/.ssh/identity
> Enter passphrase (empty for no passphrase):
> Enter same passphrase again:
> Do you want to use this identity to login to this machine? (yes/no) yes
> Adding to /us/adefaria/.ssh/authorized_keys
> Shall I create an SSH2 RSA identity file for you? (yes/no) (yes/no) yes
> Generating /us/adefaria/.ssh/id_rsa
> Enter passphrase (empty for no passphrase):
> Enter same passphrase again:
> Do you want to use this identity to login to this machine? (yes/no) yes
> Adding to /us/adefaria/.ssh/authorized_keys
> Shall I create an SSH2 DSA identity file for you? (yes/no) (yes/no) yes
> Generating /us/adefaria/.ssh/id_dsa
> Enter passphrase (empty for no passphrase):
> Enter same passphrase again:
> Do you want to use this identity to login to this machine? (yes/no) yes
> Adding to /us/adefaria/.ssh/authorized_keys
>
> Configuration finished. Have fun!
>
> $ ssh adefaria id
> adefaria AT adefaria's password:
> uid=1370(adefaria) gid=513(Domain Users)
> groups=1834(clearcase),512(Domain Admins),513(Domain
>
Users),2637(Employees-US-Security),1170(Everybody),1331(Software),1866(Softw
are-US-Security)
>
> As you can see ssh-user-config did not change the need to enter my
> password for ssh.
>
> > Except on 2003 Server. There you'll have to create a new account (say
> > "sshd_srv", *not* "sshd") which is part of the admins group and has
> > the appropriate extra privileges
> >
> > "Create a token object"
> > "Replace process level token"
> > "Increase quotas"
> > "Logon as a service"
> >
> >> The system account does of course own that user rights by default.
> >>
> >> Unfortunately, if you choose that way, you can only logon with NT
> >> password authentification and you should change /etc/sshd_config to
> >> contain the following:
> >
> > Yeah, should be rewritten.
> >
> >> RhostsAuthentication no
> >
> > Ugh. Rhosts authentication is dropped entirerly since 3.7p1.
> >
> > Corinna
>
>
>
> --
> Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
> Problem reports: http://cygwin.com/problems.html
> Documentation: http://cygwin.com/docs.html
> FAQ: http://cygwin.com/faq/
>
>
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
- Raw text -