X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:reply-to:message-id:to:subject
	:in-reply-to:references:mime-version:content-type
	:content-transfer-encoding; q=dns; s=default; b=OLdH3N5P+SQxkbYO
	HXcc5lU3GcBl2P7fQM14IxpYePjIA2UfqpVnuls4TquufIkcISb9gXTc8bVZePbS
	W0so3JIXgU05cGWWCzEsdePSx8diO5mk9lQnjsMhJXMK4frHwMool+xkUBGwlFvX
	23MNwD5q956CC62xocoa8XnHVmk=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:reply-to:message-id:to:subject
	:in-reply-to:references:mime-version:content-type
	:content-transfer-encoding; s=default; bh=s8a1Gqf2SC31EiNunG5KOt
	SRd0w=; b=c58J1+oCez0n3Rssthxzc/iIBKnM7KMzIKim17KY/8JujhcdfE6upc
	ZRG3tBP2ZvD3D1rN/5kik5k2UiXNe9r2xbidjk05xlgyu9t/IFl7bFVKR4qx0kDX
	ggrHzaUmTZjtM5uVKyrsvfI0GM/9VygCOZAnp9KtXeAVTrWgyoLsA=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=4.6 required=5.0 tests=AWL,BAYES_50,FREEMAIL_FROM,KAM_THEBAT,SPF_SOFTFAIL autolearn=no version=3.3.2
X-HELO: smtp.ht-systems.ru
Date: Tue, 21 Jul 2015 23:36:55 +0300
From: Andrey Repin <anrdaemon AT yandex DOT ru>
Reply-To: cygwin AT cygwin DOT com
Message-ID: <981419184.20150721233655@yandex.ru>
To: Jarek <yaro_29 AT hotmail DOT com>, cygwin AT cygwin DOT com
Subject: Re: Cygwin ssh and Windows authentication
In-Reply-To: <BLU436-SMTP238C37DE9A243EA7E7F794F9E840@phx.gbl>
References: <BLU436-SMTP39AE7DD48809E802CE4DAE9E860 AT phx DOT gbl>   <1301881165 DOT 20150720013859 AT yandex DOT ru>  <BLU436-SMTP217DCBDBFA0EED5BC1ACFFB9E850 AT phx DOT gbl>  <1399485278 DOT 20150721032532 AT yandex DOT ru>  <BLU436-SMTP238C37DE9A243EA7E7F794F9E840 AT phx DOT gbl>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-IsSubscribed: yes

Greetings, Jarek!

>>> So why are they not needed as your comment doesn't really explain that
>> Read 1.7.35 changelog.
>> In short, username resolution was completely reworked, thanks to Corinna, and
>> Cygwin now directly address domain controllers for it.
> OK so it addresses DCs to check some settings or priviliges. I don't 
> suppose it just asks 'hey DS, can contoso\johnd access sshd on server1?'

Indirectly, that can be done, i.e., by including a user in "SSH" group and
allow only "DOMAIN+SSH" group to authorize on server.

> to which the DC is like 'dude, what the heck is sshd?' :)

This is not that simple. The actual authentication is done by SSH itself in
this case. Same as on *NIX. For THIS (or, more precisely, to craft auth token
which IS THE "user" in terms of OS access control) it needs certain privileges.
The details are in documentation I linked earlier, the next question about
using public keys with SSH.

> I now have the cygwin service running in domain context so now I would
> somehow need to let the DC know whe is allowed to ssh to my server1.

By default, everyone will be allowed, and they will have only what rights they
have, as the actual access control is done by OS itself, once the user is
authenticated.

> My domain account, although in local admins on the server is now failing
> authentication when trying to ssh. Which gets us back to the question what
> do I need for a DC to authenticate me?

Nothing more than what is stated in the FAQ entry.
I suggest starting from a new Cygwin install (stop and remove installed Cygwin
services and rename your existing installation out of the way) and recheck the
results.
Verbose logging from both client and server may give some insight, too.

>>> and how exactly did I screwed up my setup if I can actually access the
>>> server with a domain user account no problem?
>> On that, I'm surprized.

> Maybe a bug then?
Depends, what exactly was the state. But I'm not concerned.
There's very few narrow use cases left for having passwd/group files around
that it is better to just get rid of them.
Because:

>> /etc/passwd/group has nothing to do with "access control".
>> The files were only used to convert Windows to Cygwin names (and supply other
>> Cygwin-specific information), on the presumption that there will never be too
>> much of it. This is now done on the fly, allowing to deploy Cygwin in large
>> domains.


-- 
With best regards,
Andrey Repin
Tuesday, July 21, 2015 23:27:07

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple