X-Recipient: archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status: No, hits=-2.1 required=5.0 	tests=AWL,BAYES_00
X-Spam-Check-By: sourceware.org
X-Cloudmark-SP-Filtered: true
X-Cloudmark-SP-Result: v=1.0 c=1 a=9arJFeZAiZsA:10 a=kCKDY91tEBMc+hi4YtGk8Q==:17 a=w_pzkKWiAAAA:8  a=qqePFTBOsbGuURynPnAA:9 a=y-5vgSKMtiJCklNI36IA:7  a=f0FdpXzOQ4cuFC7QJt7h92H6wCAA:4 a=OO2XiV6ZNdAA:10
Message-ID: <4B6A6FB5.10804@monai.ca>
Date: Wed, 03 Feb 2010 22:56:53 -0800
From: Steven Monai <steve+cygwin AT monai DOT ca>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091204 Thunderbird/3.0
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: 1.7 Public Key Authentication problem
References: <fbea4b0a1002032207y5ee53669o97966eeb6e2138c2 AT mail DOT gmail DOT com>
In-Reply-To: <fbea4b0a1002032207y5ee53669o97966eeb6e2138c2@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On 2010/02/03 10:07 PM, shane fenton wrote:
> Hi,
> First time poster - so hopefully will get it right :)
> Cygwin 1.7 installed on approx 10 machines - XP /2008
> domain cyg_server user created
> Added above user to Quotas/create token/replace token & log on as
> service & local admins on pc's
> added cyg_server to passwd file
> ssh-host-config (found above user and used it and did the right perms
> on /var/empty & /var/log/sshd.log )
> added domain user accounts to passwd  & domain users group  > group

You didn't mention whether you set up the LSA authentication package
(with /usr/bin/cyglsa-config), or used 'passwd -R' for each user. Did
you try either of those?

The Cygwin User Guide goes into great detail about the methods of
changing user context, in this chapter:
http://cygwin.com/cygwin-ug-net/ntsec.html

The gist of that chapter is this: If you want to be able to login via
ssh as a user that is not running the sshd daemon, you have basically
two options:

(1) Provide a valid Windows password to the sshd daemon, either
interactively (which you obviously don't want to do, since you're
attempting public key auth), or stored statically in the registry via
'passwd -R'.

(2) Use the LSA authentication package. Bear in mind that if you use
this option to avoid giving sshd your password entirely, I believe that
certain privileges are withheld from the logged in user. [I don't
remember exactly what privs are missing in this case... access to
network resources maybe?]

Hope this helps,
-SM
--

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple