X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:reply-to:mime-version:to
	:subject:references:in-reply-to:content-type
	:content-transfer-encoding; q=dns; s=default; b=ftcscnh+AwJzYIyc
	zuVYbqt36loJIvUit3f77iFwPBbiIbm+W3ncccLMrtY47d9C7lVM8tBeGTcmrCwd
	XJyAZLi4kRjFQLba8pwnbuxRSBcl2HnfDfRJPOREdMJszrMRQvvTiaUr0fG/v7KF
	i8LutmtLgIKxNqS31Hwb1ctsCXg=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:reply-to:mime-version:to
	:subject:references:in-reply-to:content-type
	:content-transfer-encoding; s=default; bh=MJJgk7eGsBALrf6uS6XDMt
	Zk0ms=; b=OSX2a8qDAspn8bWvX9lKX+lL2qBOc2JlZUf1DM/+qHFbTb/xoSHbNC
	NLNyhOtkPqN+Ji8LCd5TsA1YNByqwEZUA3w6MtzXkXnjOCIg9jkcMhqS8zOREocZ
	on6hrpCIAvM94i0ZNIEp2CH2L0hkSQppBm08kGECNVv+lH2ZVbPpU=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=0.5 required=5.0 tests=AWL,BAYES_50,RDNS_NONE,URIBL_BLOCKED autolearn=no version=3.3.2
X-HELO: vms173009pub.verizon.net
Message-id: <527A5EE5.2070206@cygwin.com>
Date: Wed, 06 Nov 2013 10:23:17 -0500
From: "Larry Hall (Cygwin)" <reply-to-list-only-lh AT cygwin DOT com>
Reply-to: cygwin AT cygwin DOT com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.1.0
MIME-version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: Windows Guest Account Locked SSH
References: <3B5A3AEF8D16D1489ECFF9EB07DA0B99976FA34A AT CBPDEXCHAS01 DOT gmpnt DOT rootdom DOT gmp DOT police DOT cjx DOT gov DOT uk> <3B5A3AEF8D16D1489ECFF9EB07DA0B99976FA3B2 AT CBPDEXCHAS01 DOT gmpnt DOT rootdom DOT gmp DOT police DOT cjx DOT gov DOT uk> <3B5A3AEF8D16D1489ECFF9EB07DA0B99976FA3D4 AT CBPDEXCHAS01 DOT gmpnt DOT rootdom DOT gmp DOT police DOT cjx DOT gov DOT uk> <3B5A3AEF8D16D1489ECFF9EB07DA0B99976FA3EB AT CBPDEXCHAS01 DOT gmpnt DOT rootdom DOT gmp DOT police DOT cjx DOT gov DOT uk>
In-reply-to: <3B5A3AEF8D16D1489ECFF9EB07DA0B99976FA3EB@CBPDEXCHAS01.gmpnt.rootdom.gmp.police.cjx.gov.uk>
Content-type: text/plain; charset=ISO-8859-1; format=flowed
Content-transfer-encoding: 7bit

On 11/6/2013 5:26 AM, Jez DOT Noake AT gmp DOT police DOT uk wrote:
> I have a similar problem to this post:
> http://cygwin.com/ml/cygwin/2012-06/msg00507.html
>
> except that the version I am using is 1.7.25, downloaded relatively recently.
>
> It seems that making an ssh connection to the CygWin host, using RSA
> certificate to achieve passwordless connection, causes the SSHD service on
> the host to perform an authentication using the account that the service is
> hosted with ... but that it apparently does not qualify the account with a
> domain (ie. the local machine) and apparently the assumption is that it
> should be a DOMAIN account - there was no DOMAIN\CYG_SERVER account so it
> fails and I assume it then tries DOMAIN\Guest as a fall-back, with the wrong
> password and therefore locks out DOMAIN\Guest
>
> So I created a DOMAIN\CYG_SERVER account with the same password as
> <LOCALDOMAIN>\CYG_SERVER and presto!, SSH connections from my client with no
> domain guest lockout.
>
> I have googled to infinity and beyond and found only a few references to
> this problem, and none of them suggest this or any other solution, merely
> that you can try this and that (one relating to duplicated SID's - not the
> reason)

<snip>

> Can anyone specify a better solution than creating a matching domain account?
>
> I can't help thinking that I have missed some configuration item that
> would deal with this directly.

No, this is exactly the way to do it.  ssh-host-config cannot create a
privileged domain account when run as any user from any machine so it
doesn't try to.  If you need a domain user to be able to authenticate with
pubkey, you have to do what you did to make that work.  The side effect
of locking the domain guest account is a new twist I hadn't heard of
before but then again, it is Windows we're talking about. ;-)


-- 
Larry

_____________________________________________________________________

A: Yes.
 > Q: Are you sure?
 >> A: Because it reverses the logical flow of conversation.
 >>> Q: Why is top posting annoying in email?

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple