| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:message-id:date:from:reply-to:mime-version:to | |
| :subject:references:in-reply-to:content-type | |
| :content-transfer-encoding; q=dns; s=default; b=ftcscnh+AwJzYIyc | |
| zuVYbqt36loJIvUit3f77iFwPBbiIbm+W3ncccLMrtY47d9C7lVM8tBeGTcmrCwd | |
| XJyAZLi4kRjFQLba8pwnbuxRSBcl2HnfDfRJPOREdMJszrMRQvvTiaUr0fG/v7KF | |
| i8LutmtLgIKxNqS31Hwb1ctsCXg= | |
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:message-id:date:from:reply-to:mime-version:to | |
| :subject:references:in-reply-to:content-type | |
| :content-transfer-encoding; s=default; bh=MJJgk7eGsBALrf6uS6XDMt | |
| Zk0ms=; b=OSX2a8qDAspn8bWvX9lKX+lL2qBOc2JlZUf1DM/+qHFbTb/xoSHbNC | |
| NLNyhOtkPqN+Ji8LCd5TsA1YNByqwEZUA3w6MtzXkXnjOCIg9jkcMhqS8zOREocZ | |
| on6hrpCIAvM94i0ZNIEp2CH2L0hkSQppBm08kGECNVv+lH2ZVbPpU= | |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| Authentication-Results: | sourceware.org; auth=none |
| X-Virus-Found: | No |
| X-Spam-SWARE-Status: | No, score=0.5 required=5.0 tests=AWL,BAYES_50,RDNS_NONE,URIBL_BLOCKED autolearn=no version=3.3.2 |
| X-HELO: | vms173009pub.verizon.net |
| Message-id: | <527A5EE5.2070206@cygwin.com> |
| Date: | Wed, 06 Nov 2013 10:23:17 -0500 |
| From: | "Larry Hall (Cygwin)" <reply-to-list-only-lh AT cygwin DOT com> |
| Reply-to: | cygwin AT cygwin DOT com |
| User-Agent: | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.1.0 |
| MIME-version: | 1.0 |
| To: | cygwin AT cygwin DOT com |
| Subject: | Re: Windows Guest Account Locked SSH |
| References: | <3B5A3AEF8D16D1489ECFF9EB07DA0B99976FA34A AT CBPDEXCHAS01 DOT gmpnt DOT rootdom DOT gmp DOT police DOT cjx DOT gov DOT uk> <3B5A3AEF8D16D1489ECFF9EB07DA0B99976FA3B2 AT CBPDEXCHAS01 DOT gmpnt DOT rootdom DOT gmp DOT police DOT cjx DOT gov DOT uk> <3B5A3AEF8D16D1489ECFF9EB07DA0B99976FA3D4 AT CBPDEXCHAS01 DOT gmpnt DOT rootdom DOT gmp DOT police DOT cjx DOT gov DOT uk> <3B5A3AEF8D16D1489ECFF9EB07DA0B99976FA3EB AT CBPDEXCHAS01 DOT gmpnt DOT rootdom DOT gmp DOT police DOT cjx DOT gov DOT uk> |
| In-reply-to: | <3B5A3AEF8D16D1489ECFF9EB07DA0B99976FA3EB@CBPDEXCHAS01.gmpnt.rootdom.gmp.police.cjx.gov.uk> |
On 11/6/2013 5:26 AM, Jez DOT Noake AT gmp DOT police DOT uk wrote: > I have a similar problem to this post: > http://cygwin.com/ml/cygwin/2012-06/msg00507.html > > except that the version I am using is 1.7.25, downloaded relatively recently. > > It seems that making an ssh connection to the CygWin host, using RSA > certificate to achieve passwordless connection, causes the SSHD service on > the host to perform an authentication using the account that the service is > hosted with ... but that it apparently does not qualify the account with a > domain (ie. the local machine) and apparently the assumption is that it > should be a DOMAIN account - there was no DOMAIN\CYG_SERVER account so it > fails and I assume it then tries DOMAIN\Guest as a fall-back, with the wrong > password and therefore locks out DOMAIN\Guest > > So I created a DOMAIN\CYG_SERVER account with the same password as > <LOCALDOMAIN>\CYG_SERVER and presto!, SSH connections from my client with no > domain guest lockout. > > I have googled to infinity and beyond and found only a few references to > this problem, and none of them suggest this or any other solution, merely > that you can try this and that (one relating to duplicated SID's - not the > reason) <snip> > Can anyone specify a better solution than creating a matching domain account? > > I can't help thinking that I have missed some configuration item that > would deal with this directly. No, this is exactly the way to do it. ssh-host-config cannot create a privileged domain account when run as any user from any machine so it doesn't try to. If you need a domain user to be able to authenticate with pubkey, you have to do what you did to make that work. The side effect of locking the domain guest account is a new twist I hadn't heard of before but then again, it is Windows we're talking about. ;-) -- Larry _____________________________________________________________________ A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting annoying in email? -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |