Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
X-Authentication-Warning: slinky.cs.nyu.edu: pechtcha owned process doing -bs
Date: Sat, 28 Feb 2004 20:49:45 -0500 (EST)
From: Igor Pechtchanski <pechtcha AT cs DOT nyu DOT edu>
Reply-To: cygwin AT cygwin DOT com
To: ncokwqc02 AT sneakemail DOT com
cc: cygwin AT cygwin DOT com
Subject: RE: can't achieve password-less ssh authentication when my home directory is on a network file server
In-Reply-To: <25353-63763@sneakemail.com>
Message-ID: <Pine.GSO.4.56.0402282039060.19703@slinky.cs.nyu.edu>
References: <25353-63763 AT sneakemail DOT com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Scanned-By: MIMEDefang 2.39

On Sat, 28 Feb 2004 ncokwqc02<at>sneakemail<dot>com wrote:

> [snip]
> > > So my question is this: How do I modify the file(s) on 'Alpha' or on
> > > '//Filer' to obtain password-less access from 'Beta' to 'Alpha' when the
> > > password file on 'Alpha' says '//Filer/john' is my home directory?
> >
> > Sorry, no can do[*].  This is the way Windows/Samba shares (and other
> > authenticated mounts, e.g., DFS) work.  To access the directory, you
> > need a valid token with a password, otherwise the remote machine won't
> > trust it.  To find out that you allow passwordless authentication, you
> > need to access the directory, which you can't without a password.
> > FWIW, I ran into the same problem on AIX (with DFS).
>
> I had read lots of previous posts on this topic and should have realized
> the futility of the endeavor. I guess that when I found that setting the
> HOME directory in '/etc/passwd' to a directory on the remote drive made
> it possible to ssh into 'Alpha' and still have simultaneous access to
> the local and remote drives, I thought the objective of password-less
> ssh access might be simultaneously achievable.

Yes, for passwordless authentication, you need to be able to access the
~/.ssh directory *without* typing a password.

> > [*] I can think of a couple of things to try, but don't think either will
> > work too well:
> > - If you have control over the //Filer share, you might try to make the
> > share public (i.e., accessible to anyone).  I'd say that this cure is
> > worse than the disease, though...
>
> No way I can do that.

Fair enough.

> > - Create a local home directory (e.g. /home/john); mount the remote
> > directory (//Filer) onto it; then mount c:\cygwin\home\john\.ssh onto
> > /home/john/.ssh.
>
> I want to make sure I understand your suggestion. Does it amount to doing
> the following on 'Alpha'?
>         mkdir /home/john
>         mount //Filer/john /home/john
>         mount c:\cygwin\home\john\.ssh /home/john/.ssh
>
> In this case my home directory is at '//Filer/john'.

Yes, exactly.  Note that, as I said below, you will not be able to access
//Filer/john/.ssh as /home/john/.ssh after that.  You should still be able
to access it directly as //Filer/john/.ssh, though, so it's no big loss.
Oh, and you'll need to *create* /home/john/.ssh before mounting
//Filer/john over it...

> > In theory, this should allow you to keep a local (and therefore
> > accessible without a password) copy of the .ssh directory, while the
> > rest of your files are on the Samba share.  The caveat, of course, is
> > that you won't be able to access the remote .ssh directory, if there
> > is one.  Also, make sure the mounts are all system mounts, so sshd can
> > pick them up.
> >
> > Please let us know if either works for you.
> >       Igor
>
> BTW, on a related, but slightly different topic, I didn't even get to this
> point until I solved the problem of 'cygrunsrv -S sshd' resulting in 'Error
> 1062'. Thank goodness for 'log' files! When I finally looked at
> '/var/log/sshd.log' I saw it filled with repetitions of the message
>         "/var/empty must be owned by root and not group or world-writable."
> Indeed '/var/empty' was owned by 'john:Users'. After I changed it to
> 'SYSTEM:root', I was able to start 'sshd'. I don't understand why the
> '/var/empty' directory created by '/bin/ssh-host-config' didn't have the
> right ownership. But it didn't.

I actually don't recall you attaching the output of "cygcheck -svr" for
your machine (as requested in <http://cygwin.com/problems.html>).  This
would tell us, among other things, the version of Windows and the version
of the openssh package that you're running.  AFAICS, ssh-host-config in
the latest couple of versions of openssh contains a bit of code specific
to NT-based systems that *does* chown /var/empty to SYSTEM:544
(SYSTEM:Administrators, IIRC).  If that didn't work on your machine, we
need to find out why.
	Igor
-- 
				http://cs.nyu.edu/~pechtcha/
      |\      _,,,---,,_		pechtcha AT cs DOT nyu DOT edu
ZZZzz /,`.-'`'    -.  ;-;;,_		igor AT watson DOT ibm DOT com
     |,4-  ) )-,_. ,\ (  `'-'		Igor Pechtchanski, Ph.D.
    '---''(_/--'  `-'\_) fL	a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!

"I have since come to realize that being between your mentor and his route
to the bathroom is a major career booster."  -- Patrick Naughton

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/