Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Message-ID: <020601c39415$22d45270$6c0aa8c0@adexainc.com>
From: "Rob S.i.k.l.o.s." <rob2 AT siklos DOT ca>
To: <cygwin AT cygwin DOT com>, "Andrew DeFaria" <Andrew AT DeFaria DOT com>
References: <bmkmdl$82i$1 AT sea DOT gmane DOT org> <20031016081208 DOT GB28997 AT cygbert DOT vinschen DOT de> <bmmbha$43f$1 AT sea DOT gmane DOT org>
Subject: Re: Passwordless login with ssh
Date: Thu, 16 Oct 2003 14:41:39 -0400
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165

Are you entering a passphrase when you generate your keys?  If so, try with
no passphrase.

Rob.

----- Original Message ----- 
From: "Andrew DeFaria" <Andrew AT DeFaria DOT com>
To: <cygwin AT cygwin DOT com>
Sent: Thursday, October 16, 2003 10:55 AM
Subject: Re: Passwordless login with ssh


> Corinna Vinschen wrote:
>
> > On Wed, Oct 15, 2003 at 04:51:58PM -0700, Andrew DeFaria wrote:
> >
> >> Sorry, I searched the list and did not get a definitive answer. What
> >> I'm trying to do is to secure things up a little bit around here. I
> >> would like to use ssh. But I also want to allow valid users to ssh
> >> <remove> <command> without being prompted for a password. I'm not
> >> sure this is doable.
> >>
> >> Reading from openssh-3.7.1p2-1.README I see
> >>
> >> Authentication to sshd is possible in one of two ways. You'll have to
> >> decide before starting sshd!
> >>
> >> - If you want to authenticate via RSA and you want to login to that
> >> machine to exactly one user account you can do so by running sshd
> >> under that user account. You must change /etc/sshd_config to contain
> >> the following:
> >>
> >> RSAAuthentication yes
> >>
> >> Moreover it's possible to use rhosts and/or rhosts with RSA
> >> authentication by setting the following in sshd_config:
> >>
> >> RhostsAuthentication yes
> >> RhostsRSAAuthentication yes
> >>
> >> Seems to me that the above says I can only use RSA Authentication IFF
> >> I'm only want to allow one username to be able to login. Or
> >
> > You missed the part under "Important change since 2.9p2":
> >
> > "Since Cygwin is able to switch user context without password
> > beginning with version 1.3.2, OpenSSH now allows to do so when it's
> > running under a version >= 1.3.2. Keep in mind that `ntsec' has to be
> > activated to allow that feature."
>
> No I saw that part too however it just seemed more confusing to me.
>
> > This is a bit too brief, I admit. Actually, the account who may switch
> > user context without password needs "create a token object" privilege.
> > This is by default only the SYSTEM user. So, running sshd under SYSTEM
> > account gives you what you want.
>
> I currently have sshd running correctly as a service. I can log in as
> any user however right now I need to specify my password:
>
> $ ssh starbase id
> Andrew AT starbase's password:
> uid=1003(Andrew) gid=513(DeFaria)
> groups=513(DeFaria),544(Administrators),545(Users)
>
> Now from what I see I need to run ssh-user-config to generate the
> neccessary keys for passwordless login:
>
> $ ssh-user-config
> /home/Andrew DeFaria
> /home/Andrew DeFaria is set in /etc/passwd as your home directory
> but it is not a valid directory. Cannot create user identity files.
>
> Ugh! Seems ssh-user-config doesn't support directories with spaces in
> them! (Would it be hard/impossible to support this?) Let me demonstrate
> my problem at work where I have a home directory without a space.
>
> $ ssh adefaria id
> adefaria AT adefaria's password:
> uid=1370(adefaria) gid=513(Domain Users)
> groups=1834(clearcase),512(Domain Admins),513(Domain
>
Users),2637(Employees-US-Security),1170(Everybody),1331(Software),1866(Softw
are-US-Security)
>
> Same situation. I can use ssh for any user but I must enter a password.
> Now for ssh-user-config:
>
> $ ssh-user-config
> Shall I create an SSH1 RSA identity file for you? (yes/no) yes
> Generating /us/adefaria/.ssh/identity
> Enter passphrase (empty for no passphrase):
> Enter same passphrase again:
> Do you want to use this identity to login to this machine? (yes/no) yes
> Adding to /us/adefaria/.ssh/authorized_keys
> Shall I create an SSH2 RSA identity file for you? (yes/no)  (yes/no) yes
> Generating /us/adefaria/.ssh/id_rsa
> Enter passphrase (empty for no passphrase):
> Enter same passphrase again:
> Do you want to use this identity to login to this machine? (yes/no) yes
> Adding to /us/adefaria/.ssh/authorized_keys
> Shall I create an SSH2 DSA identity file for you? (yes/no)  (yes/no) yes
> Generating /us/adefaria/.ssh/id_dsa
> Enter passphrase (empty for no passphrase):
> Enter same passphrase again:
> Do you want to use this identity to login to this machine? (yes/no) yes
> Adding to /us/adefaria/.ssh/authorized_keys
>
> Configuration finished. Have fun!
>
> $ ssh adefaria id
> adefaria AT adefaria's password:
> uid=1370(adefaria) gid=513(Domain Users)
> groups=1834(clearcase),512(Domain Admins),513(Domain
>
Users),2637(Employees-US-Security),1170(Everybody),1331(Software),1866(Softw
are-US-Security)
>
> As you can see ssh-user-config did not change the need to enter my
> password for ssh.
>
> > Except on 2003 Server. There you'll have to create a new account (say
> > "sshd_srv", *not* "sshd") which is part of the admins group and has
> > the appropriate extra privileges
> >
> > "Create a token object"
> > "Replace process level token"
> > "Increase quotas"
> > "Logon as a service"
> >
> >> The system account does of course own that user rights by default.
> >>
> >> Unfortunately, if you choose that way, you can only logon with NT
> >> password authentification and you should change /etc/sshd_config to
> >> contain the following:
> >
> > Yeah, should be rewritten.
> >
> >> RhostsAuthentication no
> >
> > Ugh. Rhosts authentication is dropped entirerly since 3.7p1.
> >
> > Corinna
>
>
>
> --
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
> Problem reports:       http://cygwin.com/problems.html
> Documentation:         http://cygwin.com/docs.html
> FAQ:                   http://cygwin.com/faq/
>
>


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/