DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; q=dns; s=
	default; b=oGqrUGmTxzMr417S+/vH4h8b6sq12ICAfIW917WMLf6gZdgWbcLfb
	j2ocQOPLkPlLj29hu2APDUKn2KIsVRq3Di+ONTMplluvxzqoSA5lInyPtyPuWlnR
	TUqZVP+2/RkPcDURuAvY6qwZIWrP6+pWTviSXunL1GCRQcUGSwQw34=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Date: Wed, 25 Jun 2014 20:25:51 +0200
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: LDAP integration and sshd
Message-ID: <20140625182551.GS1803@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <loom DOT 20140625T141552-513 AT post DOT gmane DOT org> <20140625130727 DOT GQ1803 AT calimero DOT vinschen DOT de> <87simsrhhi DOT fsf AT Rainer DOT invalid>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;	protocol="application/pgp-signature"; boundary="FRaepaAnLTQkJ4tS"
Content-Disposition: inline
In-Reply-To: <87simsrhhi.fsf@Rainer.invalid>
User-Agent: Mutt/1.5.23 (2014-03-12)

--FRaepaAnLTQkJ4tS
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Jun 25 20:06, Achim Gratz wrote:
> Corinna Vinschen writes:
> > You read my preliminary doc, I hope?  I attached it again, for
> > completeness.  But, here's what happens:
>=20
> I guess I read it at one time, but not specifically today. :-)
>=20
> > If you're in a domain, and the sshd user account is local, the local
> > sshd account will be prefixed with the local machine name, like this:
> >
> >   MACHINE+sshd
> >
> > OpenSSH's sshd looks for an account called "sshd", so in the above
> > scenario, it will fail to find sshd.  There are three workarounds:
>=20
> The fourth:
>=20
> mkpasswd -l | awk '/sshd:/{gsub("^[^+]*\\+", "");print;}' >> /etc/passwd

I was specificially talking about workarounds *not* involving to generate
an /etc/passwd entry.

> > - Switch off privilege separation in /etc/sshd_config.
>=20
> Not going to do that if I can help it.

Doesn't work as intended anyway due to the lack of descriptor passing in
Cygwin.  I never use it if I can help it.

> > - Create an unprivileged "sshd" user in your primary domain.  Since
> >   this account is unprefixed by default, sshd will find the user
> >   account and happily use it.
>=20
> That might actually be the best idea since the account doesn't need any
> privileges at all. I'll have to ask our domain admins.

It's a good thing in the long run since you never have to care for
the sshd account for all machines in the same domain.

> > - Build your own OpenSSH package with the following patch applied:
>=20
> With the workarounds available, I'm not trying.
>=20
> > I have not the faintest idea how to get Kerberos auth working with
> > OpenSSH, sorry.  The problem in case of using the AD stuff might be
> > related to the username prefixing.  Kerberos probably doesn't understand
> > the prefix separator char (the '+' sign by default).
>=20
> At the moment the problem seems to be that some part of the necessary
> config is missing.  I'm getting into the right realm, but then things
> fall apart.
>=20
> >> Putting the public keys elsewhere would also work,
> >> but it isn't clear to me how to configure that.
>=20
> N.B.: This can be done in /etc/sshd_config with an absolute path and
> judicious use of the %u token.  Doesn't help though, since after logging
> in via public key the user doesn't have an LDAP ticket and is thus
> unable to have the home share mounted.  This appeared to work during the
> initial test since the server still had a ticket cached from a previous
> RDP session.

This is what method 3 is for, as described in the below link.

> > Does it work better with the passwd -R method?
> >
> >   https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd3
>=20
> I didn't get it to work yet.  I suppose that I need to somehow pass
> "CYGWIN=3Dntsec" environment via cygrunserv?

Huh?  How long do you use Cygwin again?  The ntsec option has gone
with Cygwin 1.7 ages ago.  That's what the user's guide is for...

 https://cygwin.com/cygwin-ug-net/using-cygwinenv.html#cygwinenv-removed-op=
tions

Just run cygserver and every user can do it, otherwise enter the
password for the user with `passwd -R <username>' as admin.

> My initial config had CYGWIN
> empty, which probably means I'll have to re-install the service.

No.

> BTW,
> I#ve managed to gothrough some SID until I've had a working config, is
> there any way to reset this counter when deleting a user?

No.

> Do I read this correctly that the password itself gets stored and not an
> NTLM(v2) hash?

No.


Corinna

--=20
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

--FRaepaAnLTQkJ4tS
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJTqxQvAAoJEPU2Bp2uRE+gxEIP/2EAUMZX3WDmFLkigw3WwXv4
roK65Vlxuake/OeUtwSOjtTqjLo1s8ZyFUlarVSjhNU41+tAcuiLKRZW00IQOaXO
1Wk9vowIInVTmJH16SqzuYtRriol+mVWCUh3sS64P006Z91HU1a4NuLL2vKnfxj9
NBQXgAhZ81gnpLBIxXqEglOsfYrTMNe6t7CMitiizO0OAO50p5BpBRHNjOl7mpgG
PKyOJX/oRP+ng4LGKcy5Ai6J0kWDTNXWfKykeGeFda4na0N4zHgHHgI0pXiZxWTl
sRtPY3cIEAF73J2f4U3Gm0B32g2tWZaCJtf0ArxxXoFU6vlQoZ05O7Rb0JYOVLtn
/L/7uJmV/XoaDAk4IAk87ptpq3HejMhCDuHF60g4uRqRzcBVOD325eOwgPsZfarf
4fhe1LK7/bUV3n/NOu8w7y1yXJ+M0dfGi1YSVJ9wT/RBoJ5V4qa4XsPuL7zlx+nz
VDmUStE8XfM+Rje1HerXKiLKCYx+BI7xDEtu51Bfsr4Dg8su6A7GKNtV7zTEqtI5
6CsQpOedmQAzXcgkVmTnUQxsELxq2KPm9hLl5PSD6vpHZsaZy9O08lbdJJctcYSk
ITKpdRHsC1TjNQ8o7wQZnxJWX6ePQeGU4CyUD0G7UuUjuad07xB3aUCjrMwAfvnQ
nl4ieCPnGB0EIbaaYVg5
=a+i0
-----END PGP SIGNATURE-----

--FRaepaAnLTQkJ4tS--