X-Recipient: archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status: No, hits=-0.2 required=5.0 	tests=AWL,BAYES_00,SARE_MSGID_LONG40,SPF_PASS
X-Spam-Check-By: sourceware.org
MIME-Version: 1.0
Date: Thu, 4 Feb 2010 19:30:33 +1000
Message-ID: <fbea4b0a1002040130wdf784c9w79d7504ada349610@mail.gmail.com>
Subject: Re: 1.7 Public Key Authentication problem
From: shane fenton <fenton DOT shane AT gmail DOT com>
To: cygwin AT cygwin DOT com
Content-Type: text/plain; charset=ISO-8859-1
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

Thanks for the info - I wasn't aware of passwd -R - just tried it and
it works which is a good relief.
It's a dev lab - anyone with access to the keys is allowed full rights
to the machines - so security not a major concern.

BTW - I had installed cyglsa-config and rebooted and gave the users
the "Act as part of OS" right - but it doesn't work for me. I must be
missing something .....

Thanks again - you've saved me considerable problems!

On 2010/02/03 10:07 PM, shane fenton wrote:
> Hi,
> First time poster - so hopefully will get it right :)
> Cygwin 1.7 installed on approx 10 machines - XP /2008
> domain cyg_server user created
> Added above user to Quotas/create token/replace token & log on as
> service & local admins on pc's
> added cyg_server to passwd file
> ssh-host-config (found above user and used it and did the right perms
> on /var/empty & /var/log/sshd.log )
> added domain user accounts to passwd  & domain users group  > group

You didn't mention whether you set up the LSA authentication package
(with /usr/bin/cyglsa-config), or used 'passwd -R' for each user. Did
you try either of those?

The Cygwin User Guide goes into great detail about the methods of
changing user context, in this chapter:
http://cygwin.com/cygwin-ug-net/ntsec.html

The gist of that chapter is this: If you want to be able to login via
ssh as a user that is not running the sshd daemon, you have basically
two options:

(1) Provide a valid Windows password to the sshd daemon, either
interactively (which you obviously don't want to do, since you're
attempting public key auth), or stored statically in the registry via
'passwd -R'.

(2) Use the LSA authentication package. Bear in mind that if you use
this option to avoid giving sshd your password entirely, I believe that
certain privileges are withheld from the logged in user. [I don't
remember exactly what privs are missing in this case... access to
network resources maybe?]

Hope this helps,
-SM

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple