Mail Archives: cygwin/2015/08/02/08:48:12

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2015/08/02/08:48:12

X-Recipient: archive-cygwin AT delorie DOT com

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:message-id:subject:to:references:from:date

:mime-version:in-reply-to:content-type

:content-transfer-encoding; q=dns; s=default; b=HiWxhkzLrDvIECAE

HMD8nP36r0BbbmQGHDmkCSg7h2uVwuU0c+IT7/t1bqt1ise4MRgKa/3WbF9zVOVT

ElEHdlUK6PD1C6tIUEjWao85LtjbqqldmyBLvvuvAR9Xu4Bl//Ni/WOeDvRte/eE

VaCVlVBs6b8ssX8TnXAFK6WC5Es=

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:message-id:subject:to:references:from:date

:mime-version:in-reply-to:content-type

:content-transfer-encoding; s=default; bh=OR//s5KoC+P+DhvTGKZ1wx

8r6mY=; b=qhF+jit9lvVHsIbM6s++6/vu0K2D7k1IkgJvZ4IF++g2XSkdvcpVQK

SCUbpfgFfIU8C4tCIwH5zI9fduoxxRem3T+n3qJVKPC6HGoRL/gcbMz4u8UtfR/e

xa1EmjdIrIFPkiREF5yRzuJgAmixTjTHCzALRSO4RLY0ThFMd9C4U=

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

Authentication-Results: sourceware.org; auth=none

X-Virus-Found: No

X-Spam-SWARE-Status: No, score=-1.3 required=5.0 tests=AWL,BAYES_40,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,RP_MATCHES_RCVD,SPF_PASS autolearn=ham version=3.3.2

X-HELO: BLU004-OMC1S8.hotmail.com

X-TMN: [g3nRyBhvduq0rlcbkgHozrIMeq8di1B1]

Message-ID: <BLU437-SMTP107B589877FA78E898063279E880@phx.gbl>

Subject: Re: Cygwin ssh and Windows authentication

To: cygwin AT cygwin DOT com

References: <BLU436-SMTP39AE7DD48809E802CE4DAE9E860 AT phx DOT gbl> <1301881165 DOT 20150720013859 AT yandex DOT ru> <BLU436-SMTP217DCBDBFA0EED5BC1ACFFB9E850 AT phx DOT gbl> <1399485278 DOT 20150721032532 AT yandex DOT ru> <BLU436-SMTP238C37DE9A243EA7E7F794F9E840 AT phx DOT gbl> <981419184 DOT 20150721233655 AT yandex DOT ru> <BLU436-SMTP147434267174B49E8813BD49E830 AT phx DOT gbl> <341710545 DOT 20150723004627 AT yandex DOT ru>

From: Jarek <yaro_29 AT hotmail DOT com>

Date: Sun, 2 Aug 2015 14:47:50 +0200

User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Thunderbird/38.1.0

MIME-Version: 1.0

In-Reply-To: <341710545.20150723004627@yandex.ru>


On 2015-07-22 23:46, Andrey Repin wrote:
> Greetings, Jarek!
>
>>>>>> So why are they not needed as your comment doesn't really explain that
>>>>> Read 1.7.35 changelog.
>>>>> In short, username resolution was completely reworked, thanks to Corinna, and
>>>>> Cygwin now directly address domain controllers for it.
>>>> OK so it addresses DCs to check some settings or priviliges. I don't
>>>> suppose it just asks 'hey DS, can contoso\johnd access sshd on server1?'
>>> Indirectly, that can be done, i.e., by including a user in "SSH" group and
>>> allow only "DOMAIN+SSH" group to authorize on server.
>> I assume the group name is arbitrary and can be named anything.
> Of course. I have a generic "RemoteUsers" group for all users that allowed
> remote access (VPN, SSH, etc.)
>
>> I went thrugh local rights on my sshserver and I see the Everyone, and
>> Users local groups have Allow to access this computer via network.
>> I take it the 'Act as part of the OS','Create a token object' and
>> 'Replace a process level token' rights are only for the account running
>> the sshd service.
> Yes, these are only used by service itself, and not propagated to the users
> connected.
>
>>> Verbose logging from both client and server may give some insight, too.
>> Here is what I get from the logs on the client when attempting to
>> connect with WinSCP
> Try using only username to login. Without domain prefix.
> And disable other auth mechanics, while you are testing namely I see it trying
> GSSAPI, which wouldn't work unless explicitly configured and allowed.
>
> Please attach long listings as files or provide links to pastebin service of
> your choice.
>
>
Hi Andrey,
Just for an update I deployed ssh access using the passwd file. I found 
it works fine as long as the user connecting is a member of local 
admins. Otherwise users are not able to connect. Looks like this may be 
a bug after all.
Best,
Jarek

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:subject:to:references:from:date
	:mime-version:in-reply-to:content-type
	:content-transfer-encoding; q=dns; s=default; b=HiWxhkzLrDvIECAE
	HMD8nP36r0BbbmQGHDmkCSg7h2uVwuU0c+IT7/t1bqt1ise4MRgKa/3WbF9zVOVT
	ElEHdlUK6PD1C6tIUEjWao85LtjbqqldmyBLvvuvAR9Xu4Bl//Ni/WOeDvRte/eE
	VaCVlVBs6b8ssX8TnXAFK6WC5Es=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:subject:to:references:from:date
	:mime-version:in-reply-to:content-type
	:content-transfer-encoding; s=default; bh=OR//s5KoC+P+DhvTGKZ1wx
	8r6mY=; b=qhF+jit9lvVHsIbM6s++6/vu0K2D7k1IkgJvZ4IF++g2XSkdvcpVQK
	SCUbpfgFfIU8C4tCIwH5zI9fduoxxRem3T+n3qJVKPC6HGoRL/gcbMz4u8UtfR/e
	xa1EmjdIrIFPkiREF5yRzuJgAmixTjTHCzALRSO4RLY0ThFMd9C4U=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Authentication-Results:	sourceware.org; auth=none
X-Virus-Found:	No
X-Spam-SWARE-Status:	No, score=-1.3 required=5.0 tests=AWL,BAYES_40,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,RP_MATCHES_RCVD,SPF_PASS autolearn=ham version=3.3.2
X-HELO:	BLU004-OMC1S8.hotmail.com
X-TMN:	[g3nRyBhvduq0rlcbkgHozrIMeq8di1B1]
Message-ID:	<BLU437-SMTP107B589877FA78E898063279E880@phx.gbl>
Subject:	Re: Cygwin ssh and Windows authentication
To:	cygwin AT cygwin DOT com
References:	<BLU436-SMTP39AE7DD48809E802CE4DAE9E860 AT phx DOT gbl> <1301881165 DOT 20150720013859 AT yandex DOT ru> <BLU436-SMTP217DCBDBFA0EED5BC1ACFFB9E850 AT phx DOT gbl> <1399485278 DOT 20150721032532 AT yandex DOT ru> <BLU436-SMTP238C37DE9A243EA7E7F794F9E840 AT phx DOT gbl> <981419184 DOT 20150721233655 AT yandex DOT ru> <BLU436-SMTP147434267174B49E8813BD49E830 AT phx DOT gbl> <341710545 DOT 20150723004627 AT yandex DOT ru>
From:	Jarek <yaro_29 AT hotmail DOT com>
Date:	Sun, 2 Aug 2015 14:47:50 +0200
User-Agent:	Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Thunderbird/38.1.0
MIME-Version:	1.0
In-Reply-To:	<341710545.20150723004627@yandex.ru>