X-Recipient: archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status: No, hits=-3.0 required=5.0 	tests=AWL,BAYES_00,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS,SPF_PASS
X-Spam-Check-By: sourceware.org
To: cygwin AT cygwin DOT com
From: Andrew DeFaria <Andrew AT DeFaria DOT com>
Subject:  ssh, smbntsec, mounted home directory - is it possible
Date:  Thu, 07 May 2009 22:53:25 -0700
Lines: 42
Message-ID: <gu0hcm$dc4$1@ger.gmane.org>
Mime-Version:  1.0
Content-Type:  text/plain; charset=UTF-8
Content-Transfer-Encoding:  7bit
User-Agent: Thunderbird 2.0.0.21 (X11/20090409)
X-Stationery: 0.4.8.14
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

I've found that in life if you don't completely solve a problem you tend
to come back upon it until you do. Dredging up an old issue
(http://sourceware.org/ml/cygwin/2006-10/msg00553.html) of which Corinna
commented here: http://sourceware.org/ml/cygwin/2006-10/msg00644.html
but it was what Igor said in
http://sourceware.org/ml/cygwin/2003-06/msg00080.html that really got me
thinking.

From what I understand, if you wish to share a home directory via SMB
among a number of Windows machines then you will have problems with ssh
and permissions if you are attempting to use pre-shared ssh keys. By
using pre-shared ssh keys you are attempting to allow passwordless ssh
login - secure ssh login but passwordless nonetheless. As such, when you
log into the Windows machine you will not have access to your SMB home
directory, since as Igor says "trying to access network shares from a
session you did with passwordless authentication"... is "not gonna
work". As I understand it, when no password is supplied then no password
is available to give Windows in order to authenticate access to the SMB
share. So, during the attempt to authenticate the pre-shared key, the
sshd process cannot access the user's ~/.ssh/authorized_keys. So then it
eventually has to prompt for the password. But even worse, after giving
the password you still have no access to your home directory.

Although Cygwin 1.7 may offer some hope:

    Cygwin now allows storage and use of user passwords in a hidden area
    of the registry. This is tried first when Cygwin is called by
    privileged processes to switch the user context. This allows, for
    instance, ssh public key sessions with full network credentials to
    access shares on other machines.

my client isn't able to use Cygwin 1.7 yet.

So to recap: I'd like to provide pre-shared key ssh access to a
particular username. I cannot, however, use an SMB shared home directory
for that user without encountering problems with ssh and permissions.

If the above statement is not true and you have any ideas on how to
achieve these objectives then let me know.
-- 
Andrew DeFaria <http://defaria.com>
Can you sentence a homeless man to house arrest?


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/