| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:date:from:to:subject:message-id:reply-to | |
| :references:mime-version:content-type:in-reply-to; q=dns; s= | |
| default; b=oGqrUGmTxzMr417S+/vH4h8b6sq12ICAfIW917WMLf6gZdgWbcLfb | |
| j2ocQOPLkPlLj29hu2APDUKn2KIsVRq3Di+ONTMplluvxzqoSA5lInyPtyPuWlnR | |
| TUqZVP+2/RkPcDURuAvY6qwZIWrP6+pWTviSXunL1GCRQcUGSwQw34= | |
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:date:from:to:subject:message-id:reply-to | |
| :references:mime-version:content-type:in-reply-to; s=default; | |
| bh=ZOs7hHZ7f3b8SR5L7tCGnisylz4=; b=OmTpZ8/qPXGGvZXHwLe1ltOT3W/4 | |
| BQWdOr5NjV+W+EKJ8DOrjAIugQPirKdegJTkxDAxaO2WNb46txOtCdDWLbuVHI4r | |
| S2T5g38pKljAEeHXPZOfRhDd7EnCQzSRuddJtr1VEUdwhL6DHRJd/GNlMNr5ZjXi | |
| hdgYr/hd07jLDGQ= | |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| Authentication-Results: | sourceware.org; auth=none |
| X-Virus-Found: | No |
| X-Spam-SWARE-Status: | No, score=-5.9 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.3.2 |
| X-HELO: | calimero.vinschen.de |
| Date: | Wed, 25 Jun 2014 20:25:51 +0200 |
| From: | Corinna Vinschen <corinna-cygwin AT cygwin DOT com> |
| To: | cygwin AT cygwin DOT com |
| Subject: | Re: LDAP integration and sshd |
| Message-ID: | <20140625182551.GS1803@calimero.vinschen.de> |
| Reply-To: | cygwin AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| References: | <loom DOT 20140625T141552-513 AT post DOT gmane DOT org> <20140625130727 DOT GQ1803 AT calimero DOT vinschen DOT de> <87simsrhhi DOT fsf AT Rainer DOT invalid> |
| MIME-Version: | 1.0 |
| In-Reply-To: | <87simsrhhi.fsf@Rainer.invalid> |
| User-Agent: | Mutt/1.5.23 (2014-03-12) |
--FRaepaAnLTQkJ4tS
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Jun 25 20:06, Achim Gratz wrote:
> Corinna Vinschen writes:
> > You read my preliminary doc, I hope? I attached it again, for
> > completeness. But, here's what happens:
>=20
> I guess I read it at one time, but not specifically today. :-)
>=20
> > If you're in a domain, and the sshd user account is local, the local
> > sshd account will be prefixed with the local machine name, like this:
> >
> > MACHINE+sshd
> >
> > OpenSSH's sshd looks for an account called "sshd", so in the above
> > scenario, it will fail to find sshd. There are three workarounds:
>=20
> The fourth:
>=20
> mkpasswd -l | awk '/sshd:/{gsub("^[^+]*\\+", "");print;}' >> /etc/passwd
I was specificially talking about workarounds *not* involving to generate
an /etc/passwd entry.
> > - Switch off privilege separation in /etc/sshd_config.
>=20
> Not going to do that if I can help it.
Doesn't work as intended anyway due to the lack of descriptor passing in
Cygwin. I never use it if I can help it.
> > - Create an unprivileged "sshd" user in your primary domain. Since
> > this account is unprefixed by default, sshd will find the user
> > account and happily use it.
>=20
> That might actually be the best idea since the account doesn't need any
> privileges at all. I'll have to ask our domain admins.
It's a good thing in the long run since you never have to care for
the sshd account for all machines in the same domain.
> > - Build your own OpenSSH package with the following patch applied:
>=20
> With the workarounds available, I'm not trying.
>=20
> > I have not the faintest idea how to get Kerberos auth working with
> > OpenSSH, sorry. The problem in case of using the AD stuff might be
> > related to the username prefixing. Kerberos probably doesn't understand
> > the prefix separator char (the '+' sign by default).
>=20
> At the moment the problem seems to be that some part of the necessary
> config is missing. I'm getting into the right realm, but then things
> fall apart.
>=20
> >> Putting the public keys elsewhere would also work,
> >> but it isn't clear to me how to configure that.
>=20
> N.B.: This can be done in /etc/sshd_config with an absolute path and
> judicious use of the %u token. Doesn't help though, since after logging
> in via public key the user doesn't have an LDAP ticket and is thus
> unable to have the home share mounted. This appeared to work during the
> initial test since the server still had a ticket cached from a previous
> RDP session.
This is what method 3 is for, as described in the below link.
> > Does it work better with the passwd -R method?
> >
> > https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd3
>=20
> I didn't get it to work yet. I suppose that I need to somehow pass
> "CYGWIN=3Dntsec" environment via cygrunserv?
Huh? How long do you use Cygwin again? The ntsec option has gone
with Cygwin 1.7 ages ago. That's what the user's guide is for...
https://cygwin.com/cygwin-ug-net/using-cygwinenv.html#cygwinenv-removed-op=
tions
Just run cygserver and every user can do it, otherwise enter the
password for the user with `passwd -R <username>' as admin.
> My initial config had CYGWIN
> empty, which probably means I'll have to re-install the service.
No.
> BTW,
> I#ve managed to gothrough some SID until I've had a working config, is
> there any way to reset this counter when deleting a user?
No.
> Do I read this correctly that the password itself gets stored and not an
> NTLM(v2) hash?
No.
Corinna
--=20
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Maintainer cygwin AT cygwin DOT com
Red Hat
--FRaepaAnLTQkJ4tS
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJTqxQvAAoJEPU2Bp2uRE+gxEIP/2EAUMZX3WDmFLkigw3WwXv4
roK65Vlxuake/OeUtwSOjtTqjLo1s8ZyFUlarVSjhNU41+tAcuiLKRZW00IQOaXO
1Wk9vowIInVTmJH16SqzuYtRriol+mVWCUh3sS64P006Z91HU1a4NuLL2vKnfxj9
NBQXgAhZ81gnpLBIxXqEglOsfYrTMNe6t7CMitiizO0OAO50p5BpBRHNjOl7mpgG
PKyOJX/oRP+ng4LGKcy5Ai6J0kWDTNXWfKykeGeFda4na0N4zHgHHgI0pXiZxWTl
sRtPY3cIEAF73J2f4U3Gm0B32g2tWZaCJtf0ArxxXoFU6vlQoZ05O7Rb0JYOVLtn
/L/7uJmV/XoaDAk4IAk87ptpq3HejMhCDuHF60g4uRqRzcBVOD325eOwgPsZfarf
4fhe1LK7/bUV3n/NOu8w7y1yXJ+M0dfGi1YSVJ9wT/RBoJ5V4qa4XsPuL7zlx+nz
VDmUStE8XfM+Rje1HerXKiLKCYx+BI7xDEtu51Bfsr4Dg8su6A7GKNtV7zTEqtI5
6CsQpOedmQAzXcgkVmTnUQxsELxq2KPm9hLl5PSD6vpHZsaZy9O08lbdJJctcYSk
ITKpdRHsC1TjNQ8o7wQZnxJWX6ePQeGU4CyUD0G7UuUjuad07xB3aUCjrMwAfvnQ
nl4ieCPnGB0EIbaaYVg5
=a+i0
-----END PGP SIGNATURE-----
--FRaepaAnLTQkJ4tS--
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |