Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Date: Thu, 16 Oct 2003 10:12:08 +0200
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: Passwordless login with ssh
Message-ID: <20031016081208.GB28997@cygbert.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <bmkmdl$82i$1 AT sea DOT gmane DOT org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <bmkmdl$82i$1@sea.gmane.org>
User-Agent: Mutt/1.4.1i

On Wed, Oct 15, 2003 at 04:51:58PM -0700, Andrew DeFaria wrote:
> Sorry, I searched the list and did not get a definitive answer. What I'm 
> trying to do is to secure things up a little bit around here. I would 
> like to use ssh. But I also want to allow valid users to ssh <remove> 
> <command> without being prompted for a password. I'm not sure this is 
> doable.
> 
> Reading from openssh-3.7.1p2-1.README I see
> 
>    Authentication to sshd is possible in one of two ways. You'll have
>    to decide before starting sshd!
> 
>    - If you want to authenticate via RSA and you want to login to that
>    machine to exactly one user account you can do so by running sshd
>    under that user account. You must change /etc/sshd_config to contain
>    the following:
> 
>    RSAAuthentication yes
> 
>    Moreover it's possible to use rhosts and/or rhosts with RSA
>    authentication by setting the following in sshd_config:
> 
>    RhostsAuthentication yes
>    RhostsRSAAuthentication yes
> 
> Seems to me that the above says I can only use RSA Authentication IFF 
> I'm only want to allow one username to be able to login. Or

You missed the part under "Important change since 2.9p2":

  "Since Cygwin is able to switch user context without password beginning
   with version 1.3.2, OpenSSH now allows to do so when it's running under
   a version >= 1.3.2. Keep in mind that `ntsec' has to be activated to
   allow that feature."

This is a bit too brief, I admit.  Actually, the account who may switch
user context without password needs "create a token object" privilege.
This is by default only the SYSTEM user.  So, running sshd under SYSTEM
account gives you what you want.  Except on 2003 Server.  There you'll
have to create a new account (say "sshd_srv", *not* "sshd") which is
part of the admins group and has the appropriate extra privileges

  "Create a token object"
  "Replace process level token"
  "Increase quotas"
  "Logon as a service"

>    The system account does of course own that user rights by default.
> 
>    Unfortunately, if you choose that way, you can only logon with NT
>    password authentification and you should change /etc/sshd_config to
>    contain the following:

Yeah, should be rewritten.

>    RhostsAuthentication no

Ugh.  Rhosts authentication is dropped entirerly since 3.7p1.  

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin AT cygwin DOT com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/