Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com X-Authentication-Warning: slinky.cs.nyu.edu: pechtcha owned process doing -bs Date: Thu, 16 Oct 2003 11:04:23 -0400 (EDT) From: Igor Pechtchanski Reply-To: cygwin AT cygwin DOT com To: Andrew DeFaria cc: cygwin AT cygwin DOT com Subject: Re: Passwordless login with ssh In-Reply-To: Message-ID: References: <20031016081208 DOT GB28997 AT cygbert DOT vinschen DOT de> Importance: Normal MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII On Thu, 16 Oct 2003, Andrew DeFaria wrote: > Corinna Vinschen wrote: > > > On Wed, Oct 15, 2003 at 04:51:58PM -0700, Andrew DeFaria wrote: > > > >> Sorry, I searched the list and did not get a definitive answer. What > >> I'm trying to do is to secure things up a little bit around here. I > >> would like to use ssh. But I also want to allow valid users to ssh > >> without being prompted for a password. I'm not > >> sure this is doable. > >> > >> Reading from openssh-3.7.1p2-1.README I see > >> > >> Authentication to sshd is possible in one of two ways. You'll have to > >> decide before starting sshd! > >> > >> - If you want to authenticate via RSA and you want to login to that > >> machine to exactly one user account you can do so by running sshd > >> under that user account. You must change /etc/sshd_config to contain > >> the following: > >> > >> RSAAuthentication yes > >> > >> Moreover it's possible to use rhosts and/or rhosts with RSA > >> authentication by setting the following in sshd_config: > >> > >> RhostsAuthentication yes > >> RhostsRSAAuthentication yes > >> > >> Seems to me that the above says I can only use RSA Authentication IFF > >> I'm only want to allow one username to be able to login. Or > > > > You missed the part under "Important change since 2.9p2": > > > > "Since Cygwin is able to switch user context without password > > beginning with version 1.3.2, OpenSSH now allows to do so when it's > > running under a version >= 1.3.2. Keep in mind that `ntsec' has to be > > activated to allow that feature." > > No I saw that part too however it just seemed more confusing to me. > > > This is a bit too brief, I admit. Actually, the account who may switch > > user context without password needs "create a token object" privilege. > > This is by default only the SYSTEM user. So, running sshd under SYSTEM > > account gives you what you want. > > I currently have sshd running correctly as a service. I can log in as > any user however right now I need to specify my password: > > $ ssh starbase id > Andrew AT starbase's password: > uid=1003(Andrew) gid=513(DeFaria) > groups=513(DeFaria),544(Administrators),545(Users) > > Now from what I see I need to run ssh-user-config to generate the > neccessary keys for passwordless login: > > $ ssh-user-config > /home/Andrew DeFaria > /home/Andrew DeFaria is set in /etc/passwd as your home directory > but it is not a valid directory. Cannot create user identity files. > > Ugh! Seems ssh-user-config doesn't support directories with spaces in > them! (Would it be hard/impossible to support this?) Let me demonstrate > my problem at work where I have a home directory without a space. > > $ ssh adefaria id > adefaria AT adefaria's password: > uid=1370(adefaria) gid=513(Domain Users) > groups=1834(clearcase),512(Domain Admins),513(Domain > Users),2637(Employees-US-Security),1170(Everybody),1331(Software),1866(Software-US-Security) > > Same situation. I can use ssh for any user but I must enter a password. > Now for ssh-user-config: > > $ ssh-user-config > Shall I create an SSH1 RSA identity file for you? (yes/no) yes > Generating /us/adefaria/.ssh/identity > Enter passphrase (empty for no passphrase): > Enter same passphrase again: > Do you want to use this identity to login to this machine? (yes/no) yes > Adding to /us/adefaria/.ssh/authorized_keys > Shall I create an SSH2 RSA identity file for you? (yes/no) (yes/no) yes > Generating /us/adefaria/.ssh/id_rsa > Enter passphrase (empty for no passphrase): > Enter same passphrase again: > Do you want to use this identity to login to this machine? (yes/no) yes > Adding to /us/adefaria/.ssh/authorized_keys > Shall I create an SSH2 DSA identity file for you? (yes/no) (yes/no) yes > Generating /us/adefaria/.ssh/id_dsa > Enter passphrase (empty for no passphrase): > Enter same passphrase again: > Do you want to use this identity to login to this machine? (yes/no) yes > Adding to /us/adefaria/.ssh/authorized_keys > > Configuration finished. Have fun! > > $ ssh adefaria id > adefaria AT adefaria's password: > uid=1370(adefaria) gid=513(Domain Users) > groups=1834(clearcase),512(Domain Admins),513(Domain Users),2637(Employees-US-Security),1170(Everybody),1331(Software),1866(Software-US-Security) > > As you can see ssh-user-config did not change the need to enter my > password for ssh. ssh -v (or -vvv) should tell you why the authorized_keys aren't accepted. It's possible the permissions are too lax on them. Igor -- http://cs.nyu.edu/~pechtcha/ |\ _,,,---,,_ pechtcha AT cs DOT nyu DOT edu ZZZzz /,`.-'`' -. ;-;;,_ igor AT watson DOT ibm DOT com |,4- ) )-,_. ,\ ( `'-' Igor Pechtchanski, Ph.D. '---''(_/--' `-'\_) fL a.k.a JaguaR-R-R-r-r-r-.-.-. Meow! "I have since come to realize that being between your mentor and his route to the bathroom is a major career booster." -- Patrick Naughton -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/