Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Date: Fri, 4 Nov 2005 17:27:13 -0500 (EST) From: Igor Pechtchanski Reply-To: cygwin AT cygwin DOT com To: Re Persina cc: cygwin AT cygwin DOT com Subject: Re: Cygwin and ssh - password auth. problem In-Reply-To: <3503d12f0511041402s4efb0432u353a45406df0c19d@mail.gmail.com> Message-ID: References: <3503d12f0511041357n4209ab1cm6cf5ebf2f398426d AT mail DOT gmail DOT com> <3503d12f0511041402s4efb0432u353a45406df0c19d AT mail DOT gmail DOT com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII On Fri, 4 Nov 2005, Re Persina wrote: > Hello, > I have cygwin running on a windows 2000 server, which is also a PDC. > I setup sshd in cygwin and I've been using it for some time to login > as administrator, both using the password and using public-key auth, > and it has been working great. I now need to have a regular user (a > member of the Domain User group) login using ssh. I'll call this user > "user1". I created the user in active directory, and synced cygwin's > passwd file with "mkpasswd -d > /etc/passwd". However, this does not > allow me to login over ssh as my new user, using the password I set. > > I try to ssh to the server as the user and I enter the password when > I am prompted by ssh, but it does not accept it; I get "Permission > denied, please try again.". I checked the windows event log, and it > says: "...sshd: PID:2588: Failed password for user1 from 10.0.0.2...". > If I upload my public key to ~user1/.ssh/authorized_keys, I can login. > I understand that is because ssh pub-key auth bypasses windows auth > altogether. Unfortunately, I cannot use pub-key auth for this > particular user. > > The only way I've found to make password-auth work, is to add the > user to the Administrators group. As soon as I do that, I can > successfully ssh to the server and succesfully login with the "user1" > user and its password. Then as soon as I remove the user from the > Administrators group, I can no longer login over ssh. Actually I've > found that adding this user to one of a variety of elevated-privledge > groups will allow him to login. Making the user a member of any one > of: "Server Operators", "Backup Operators", or "Domain Admin" will > allow the user to login over ssh with his password. The problem is > this user cannot have special permissions; he needs to be a standard > user/ Domain User. I tried making him a member of the local Users > group, but that had no effect. Sounds like a permission problem. Did you run "ssh-user-config" for that user on the PDC? > From the research I've done so far, I haven't found any good reason > why this shouldn't work. There should be a way to allow this user to > login with his password without him needing elevated privledges, yes? > Can someone please point me in the right direction? You could try running sshd in verbose debug mode to see what messages you get... Also, a tool like "filemon" from SysInternals could help by listing the files that sshd tries (and fails) to access... HTH, Igor -- http://cs.nyu.edu/~pechtcha/ |\ _,,,---,,_ pechtcha AT cs DOT nyu DOT edu ZZZzz /,`.-'`' -. ;-;;,_ igor AT watson DOT ibm DOT com |,4- ) )-,_. ,\ ( `'-' Igor Pechtchanski, Ph.D. '---''(_/--' `-'\_) fL a.k.a JaguaR-R-R-r-r-r-.-.-. Meow! If there's any real truth it's that the entire multidimensional infinity of the Universe is almost certainly being run by a bunch of maniacs. /DA -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/