Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com X-Injected-Via-Gmane: http://gmane.org/ To: cygwin AT cygwin DOT com From: Andrew DeFaria Subject: Re: Passwordless login with ssh Date: Thu, 16 Oct 2003 07:55:25 -0700 Lines: 128 Message-ID: References: <20031016081208 DOT GB28997 AT cygbert DOT vinschen DOT de> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Complaints-To: usenet AT sea DOT gmane DOT org User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax) X-Accept-Language: en,ru In-Reply-To: <20031016081208.GB28997@cygbert.vinschen.de> Corinna Vinschen wrote: > On Wed, Oct 15, 2003 at 04:51:58PM -0700, Andrew DeFaria wrote: > >> Sorry, I searched the list and did not get a definitive answer. What >> I'm trying to do is to secure things up a little bit around here. I >> would like to use ssh. But I also want to allow valid users to ssh >> without being prompted for a password. I'm not >> sure this is doable. >> >> Reading from openssh-3.7.1p2-1.README I see >> >> Authentication to sshd is possible in one of two ways. You'll have to >> decide before starting sshd! >> >> - If you want to authenticate via RSA and you want to login to that >> machine to exactly one user account you can do so by running sshd >> under that user account. You must change /etc/sshd_config to contain >> the following: >> >> RSAAuthentication yes >> >> Moreover it's possible to use rhosts and/or rhosts with RSA >> authentication by setting the following in sshd_config: >> >> RhostsAuthentication yes >> RhostsRSAAuthentication yes >> >> Seems to me that the above says I can only use RSA Authentication IFF >> I'm only want to allow one username to be able to login. Or > > You missed the part under "Important change since 2.9p2": > > "Since Cygwin is able to switch user context without password > beginning with version 1.3.2, OpenSSH now allows to do so when it's > running under a version >= 1.3.2. Keep in mind that `ntsec' has to be > activated to allow that feature." No I saw that part too however it just seemed more confusing to me. > This is a bit too brief, I admit. Actually, the account who may switch > user context without password needs "create a token object" privilege. > This is by default only the SYSTEM user. So, running sshd under SYSTEM > account gives you what you want. I currently have sshd running correctly as a service. I can log in as any user however right now I need to specify my password: $ ssh starbase id Andrew AT starbase's password: uid=1003(Andrew) gid=513(DeFaria) groups=513(DeFaria),544(Administrators),545(Users) Now from what I see I need to run ssh-user-config to generate the neccessary keys for passwordless login: $ ssh-user-config /home/Andrew DeFaria /home/Andrew DeFaria is set in /etc/passwd as your home directory but it is not a valid directory. Cannot create user identity files. Ugh! Seems ssh-user-config doesn't support directories with spaces in them! (Would it be hard/impossible to support this?) Let me demonstrate my problem at work where I have a home directory without a space. $ ssh adefaria id adefaria AT adefaria's password: uid=1370(adefaria) gid=513(Domain Users) groups=1834(clearcase),512(Domain Admins),513(Domain Users),2637(Employees-US-Security),1170(Everybody),1331(Software),1866(Software-US-Security) Same situation. I can use ssh for any user but I must enter a password. Now for ssh-user-config: $ ssh-user-config Shall I create an SSH1 RSA identity file for you? (yes/no) yes Generating /us/adefaria/.ssh/identity Enter passphrase (empty for no passphrase): Enter same passphrase again: Do you want to use this identity to login to this machine? (yes/no) yes Adding to /us/adefaria/.ssh/authorized_keys Shall I create an SSH2 RSA identity file for you? (yes/no) (yes/no) yes Generating /us/adefaria/.ssh/id_rsa Enter passphrase (empty for no passphrase): Enter same passphrase again: Do you want to use this identity to login to this machine? (yes/no) yes Adding to /us/adefaria/.ssh/authorized_keys Shall I create an SSH2 DSA identity file for you? (yes/no) (yes/no) yes Generating /us/adefaria/.ssh/id_dsa Enter passphrase (empty for no passphrase): Enter same passphrase again: Do you want to use this identity to login to this machine? (yes/no) yes Adding to /us/adefaria/.ssh/authorized_keys Configuration finished. Have fun! $ ssh adefaria id adefaria AT adefaria's password: uid=1370(adefaria) gid=513(Domain Users) groups=1834(clearcase),512(Domain Admins),513(Domain Users),2637(Employees-US-Security),1170(Everybody),1331(Software),1866(Software-US-Security) As you can see ssh-user-config did not change the need to enter my password for ssh. > Except on 2003 Server. There you'll have to create a new account (say > "sshd_srv", *not* "sshd") which is part of the admins group and has > the appropriate extra privileges > > "Create a token object" > "Replace process level token" > "Increase quotas" > "Logon as a service" > >> The system account does of course own that user rights by default. >> >> Unfortunately, if you choose that way, you can only logon with NT >> password authentification and you should change /etc/sshd_config to >> contain the following: > > Yeah, should be rewritten. > >> RhostsAuthentication no > > Ugh. Rhosts authentication is dropped entirerly since 3.7p1. > > Corinna -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/