| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:date:from:reply-to:message-id:to:subject | |
| :in-reply-to:references:mime-version:content-type | |
| :content-transfer-encoding; q=dns; s=default; b=OLdH3N5P+SQxkbYO | |
| HXcc5lU3GcBl2P7fQM14IxpYePjIA2UfqpVnuls4TquufIkcISb9gXTc8bVZePbS | |
| W0so3JIXgU05cGWWCzEsdePSx8diO5mk9lQnjsMhJXMK4frHwMool+xkUBGwlFvX | |
| 23MNwD5q956CC62xocoa8XnHVmk= | |
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:date:from:reply-to:message-id:to:subject | |
| :in-reply-to:references:mime-version:content-type | |
| :content-transfer-encoding; s=default; bh=s8a1Gqf2SC31EiNunG5KOt | |
| SRd0w=; b=c58J1+oCez0n3Rssthxzc/iIBKnM7KMzIKim17KY/8JujhcdfE6upc | |
| ZRG3tBP2ZvD3D1rN/5kik5k2UiXNe9r2xbidjk05xlgyu9t/IFl7bFVKR4qx0kDX | |
| ggrHzaUmTZjtM5uVKyrsvfI0GM/9VygCOZAnp9KtXeAVTrWgyoLsA= | |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| Authentication-Results: | sourceware.org; auth=none |
| X-Virus-Found: | No |
| X-Spam-SWARE-Status: | No, score=4.6 required=5.0 tests=AWL,BAYES_50,FREEMAIL_FROM,KAM_THEBAT,SPF_SOFTFAIL autolearn=no version=3.3.2 |
| X-HELO: | smtp.ht-systems.ru |
| Date: | Tue, 21 Jul 2015 23:36:55 +0300 |
| From: | Andrey Repin <anrdaemon AT yandex DOT ru> |
| Reply-To: | cygwin AT cygwin DOT com |
| Message-ID: | <981419184.20150721233655@yandex.ru> |
| To: | Jarek <yaro_29 AT hotmail DOT com>, cygwin AT cygwin DOT com |
| Subject: | Re: Cygwin ssh and Windows authentication |
| In-Reply-To: | <BLU436-SMTP238C37DE9A243EA7E7F794F9E840@phx.gbl> |
| References: | <BLU436-SMTP39AE7DD48809E802CE4DAE9E860 AT phx DOT gbl> <1301881165 DOT 20150720013859 AT yandex DOT ru> <BLU436-SMTP217DCBDBFA0EED5BC1ACFFB9E850 AT phx DOT gbl> <1399485278 DOT 20150721032532 AT yandex DOT ru> <BLU436-SMTP238C37DE9A243EA7E7F794F9E840 AT phx DOT gbl> |
| MIME-Version: | 1.0 |
| X-IsSubscribed: | yes |
Greetings, Jarek! >>> So why are they not needed as your comment doesn't really explain that >> Read 1.7.35 changelog. >> In short, username resolution was completely reworked, thanks to Corinna, and >> Cygwin now directly address domain controllers for it. > OK so it addresses DCs to check some settings or priviliges. I don't > suppose it just asks 'hey DS, can contoso\johnd access sshd on server1?' Indirectly, that can be done, i.e., by including a user in "SSH" group and allow only "DOMAIN+SSH" group to authorize on server. > to which the DC is like 'dude, what the heck is sshd?' :) This is not that simple. The actual authentication is done by SSH itself in this case. Same as on *NIX. For THIS (or, more precisely, to craft auth token which IS THE "user" in terms of OS access control) it needs certain privileges. The details are in documentation I linked earlier, the next question about using public keys with SSH. > I now have the cygwin service running in domain context so now I would > somehow need to let the DC know whe is allowed to ssh to my server1. By default, everyone will be allowed, and they will have only what rights they have, as the actual access control is done by OS itself, once the user is authenticated. > My domain account, although in local admins on the server is now failing > authentication when trying to ssh. Which gets us back to the question what > do I need for a DC to authenticate me? Nothing more than what is stated in the FAQ entry. I suggest starting from a new Cygwin install (stop and remove installed Cygwin services and rename your existing installation out of the way) and recheck the results. Verbose logging from both client and server may give some insight, too. >>> and how exactly did I screwed up my setup if I can actually access the >>> server with a domain user account no problem? >> On that, I'm surprized. > Maybe a bug then? Depends, what exactly was the state. But I'm not concerned. There's very few narrow use cases left for having passwd/group files around that it is better to just get rid of them. Because: >> /etc/passwd/group has nothing to do with "access control". >> The files were only used to convert Windows to Cygwin names (and supply other >> Cygwin-specific information), on the presumption that there will never be too >> much of it. This is now done on the fly, allowing to deploy Cygwin in large >> domains. -- With best regards, Andrey Repin Tuesday, July 21, 2015 23:27:07 Sorry for my terrible english... -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |