Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Date: Thu, 16 May 2002 20:10:03 +0200
From: "Gerrit P. Haase" <gerrit AT familiehaase DOT de>
Reply-To: "Gerrit P. Haase" <gerrit AT familiehaase DOT de>
Organization: Esse keine toten Tiere
X-Priority: 3 (Normal)
Message-ID: <155544505537.20020516201003@familiehaase.de>
To: cygwin AT cygwin DOT com
Subject: Re: SSHD under SYSTEM account (was: Re: cygwin & opensshd on  .net enterprise server)
In-Reply-To: <4.3.1.2.20020516133550.0260af00@pop.ma.ultranet.com>
References: <4 DOT 3 DOT 1 DOT 2 DOT 20020516133550 DOT 0260af00 AT pop DOT ma DOT ultranet DOT com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Larry,

>> > Can you please acknowledge whether or not you read openssh*.README so that
>> > we know whether you've missed the obvious user rights settings necessary for
>> > the administrator account?
>>
>>I read it and still have similar problems and there is this:


> I'm glad you read it Gerrit and would've expected as much from you.  I was
> enquiring this specifically of Tony, since it's not clear what he's tried 
> and how much he has researched the issue.


>>   "The system account does of course own that user rights by default."
>>
>>That means SYSTEM is ok and it is the default if I let the
>>ssh-host-config do the service setup.  So I expect no problems here.
>>More:
>>
>>   Unfortunately, if you choose that way, you can only logon with
>>   NT password authentification and you should change
>>   /etc/sshd_config to contain the following:
>>
>>     PasswordAuthentication yes
>>     RhostsAuthentication no
>>     RhostsRSAAuthentication no
>>     RSAAuthentication no
>>
>>
>>Wow this is like a hammer.  That means I cannot use PublicKey
>>Authentication?  If I cannot use public key authentication, the whole
>>benefit (besides transfering passwords encrypted) is futsch...
>>
>>If I let them try to guess my password several days there will be at
>>least one intruder every month...
>>
>>Is this true that PublicKey auth isn't working? (I cannot believe it).


> I think you missed the next statement in the file:

>    However you can login to the user which has started sshd with
>    RSA authentication anyway. If you want that, change the RSA
>    authentication setting back to "yes":

>      RSAAuthentication yes

> But if that user is SYSTEM, then this is little consolation.  I can't speak
> to any specifics but I can say that I agree with your interpretation of the 
> prose, minus the one caveat above.  Perhaps you'll want to try playing with
> this and debugging it to see if there's a solution for it that meets your 
> needs.

I am debugging this about two weeks now, every day an hour or so.  I
want to use DSA & SSH2 and it works.  But when I changed back the
sshd_config to 'RSAAuthentication yes' because a collegue wants to use
RSA (he just has RSA keys the poor man), it stops working.

Strange is that I can login at our Linux box and even with the same
config settings at the Linux and my NT server (where it is working if I
disable RSA) I cannot login using PublicKey Auth.

I will try to find a solution some more days and if there is a way to
use PublicKey Auth with RSA SSH1 and DSA SSH2 enabled and
    PasswordAuthentication no
I will find it;)


Gerrit
-- 
=^..^=


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/