Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sources.redhat.com/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
From:	Greg Rudd <G DOT Rudd AT isu DOT usyd DOT edu DOT au>
Organization:	University Of Sydney ITS
To:	Cygwin List <cygwin AT cygwin DOT com>, Larry Hall <cygwin-lh AT cygwin DOT com>
Subject:	Re: SUMMARY sort of: OpenSSH public key authentication woes
Date:	Wed, 28 Apr 2004 17:48:24 +1000
User-Agent:	KMail/1.5.2
References:	<BAY10-F37DeOCLkWzq70000556e AT hotmail DOT com> <Pine DOT GSO DOT 4 DOT 56 DOT 0404271119550 DOT 3335 AT slinky DOT cs DOT nyu DOT edu> <6 DOT 1 DOT 0 DOT 6 DOT 0 DOT 20040427112959 DOT 03765348 AT 127 DOT 0 DOT 0 DOT 1>
In-Reply-To:	<6.1.0.6.0.20040427112959.03765348@127.0.0.1>
Cc:	esu-staff AT mail DOT usyd DOT edu DOT au
MIME-Version:	1.0
Message-Id:	<200404281748.24002.G.Rudd@isu.usyd.edu.au>
X-IsSubscribed:	yes

On Wed, 28 Apr 2004 01:33 am, Larry Hall wrote:
> At 11:21 AM 4/27/2004, you wrote:
> >On Tue, 27 Apr 2004, Greg Rudd wrote:
> >> On Tue, 27 Apr 2004 02:12 am, Karl M wrote:
> >> > Hi Greg...
> >> >
> >> > Try setting your authorized_keys to 644 for now. If that doesn't work,
> >> > take a look at the problem reporting section on the Cygwin web page.
> >> > This list would need more information to help further.
> >>
> >> Doing the above does allow a local user to public key authenticate :-)
> >> but when I try to do the same thing with a domain user public key still
> >> fails but what is interesting is when I try to set the acl's for the
> >> .ssh directory to be the same as the local users the setfacl command
> >> fails with a error message setfacl function not implemented.  I notice
> >> that this message comes up when the ssh-user-config command is run for
> >> the first time.
> >>
> >> Is this error message occuring because the domain users home directory
> >> is mapped to a unc (which in this case is //machine/grudd) instead of a
> >> path name in the form of "/home/grudd"
> >
> >Most likely.  Add "smbntsec" to your CYGWIN environment variable.  Also,
> >you can hide the fact that it's on a remote machine by using "mount -s
> >//machine/grudd /home/grudd".
> >HTH,
> >    Igor
>
Thanks Igor works like a charm.

> But (anticipating the next question) the domain user won't be able to see
> your share through ssh and pubkey authentication unless it doesn't require
> Windows authentication to access it (i.e. it's accessible by "Everyone").
>
Hi Larry 

Correct me if I am wrong, but what you are infact saying is that a domain user 
( who when using password authentication is authenticating against a 
PDC/Active Directory Server) whose home directory is mapped to a unc  won't 
be able to use publickey without making their home directory open to all ( 
this a bad thing). So the way forward here would be to define the user as a 
local user to the machine and have their home directory mapped to the unc.

Also it is interesting to look at the debug messages from the sshd when the 
local user logs in using publickey the public key is read without any problem 
but the debug messages from the ssh daemon when the domain user logs in 
recognizes the existence of the key but refuses to accept it.

-greg

-greg



--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

- Raw text -