X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:message-id:subject:to:references:from:date :mime-version:in-reply-to:content-type :content-transfer-encoding; q=dns; s=default; b=BcGSWMpoZXXgceyg NGDg/MHdcDRFcS3HZNBoeM4e7x6V1tsSIpCETThY7ucfDiLHRAHtSYp6aK3c0inn GowOIxe0rJvJivoRp24s3sYx7CEni68sOBdDux8q7NSf3xsEushuRc0Hb7f8mK65 wXgNV5Uj5hNFqzBtXkR2xjXHDas= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:message-id:subject:to:references:from:date :mime-version:in-reply-to:content-type :content-transfer-encoding; s=default; bh=Aug3hDacFzyKZoznTxHVJ1 FP2W8=; b=Kg2mB9P3a/I4tUu72GdysY4cvkMTNy/eN+JuvtwyniGL1wN6kQu3hl KUFm7reT1CvQPH6R+3qiK7xFnZOuXImEzXlbFLpZOtAiV6FbadhYh8RAote9tIap QKbh+Z/ngipUt6XcXZCyX3veVVkxZyf+3Xqlm+16xKUGEUbyv0F7g= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-1.5 required=5.0 tests=AWL,BAYES_50,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,KAM_ASCII_DIVIDERS,RCVD_IN_DNSWL_LOW,RP_MATCHES_RCVD,SPF_PASS autolearn=ham version=3.3.2 X-HELO: BLU004-OMC1S13.hotmail.com X-TMN: [PVL3J10eHNyd9rorKAUr5yUks2/oCntZ] Message-ID: Subject: Re: Cygwin ssh and Windows authentication To: cygwin AT cygwin DOT com References: <1301881165 DOT 20150720013859 AT yandex DOT ru> <1399485278 DOT 20150721032532 AT yandex DOT ru> <981419184 DOT 20150721233655 AT yandex DOT ru> From: Jarek Date: Wed, 22 Jul 2015 20:57:36 +0200 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.1.0 MIME-Version: 1.0 In-Reply-To: <981419184.20150721233655@yandex.ru> Content-Type: text/plain; charset="windows-1252"; format=flowed Content-Transfer-Encoding: 7bit On 2015-07-21 22:36, Andrey Repin wrote: > Greetings, Jarek! > >>>> So why are they not needed as your comment doesn't really explain that >>> Read 1.7.35 changelog. >>> In short, username resolution was completely reworked, thanks to Corinna, and >>> Cygwin now directly address domain controllers for it. >> OK so it addresses DCs to check some settings or priviliges. I don't >> suppose it just asks 'hey DS, can contoso\johnd access sshd on server1?' > Indirectly, that can be done, i.e., by including a user in "SSH" group and > allow only "DOMAIN+SSH" group to authorize on server. I assume the group name is arbitrary and can be named anything. I went thrugh local rights on my sshserver and I see the Everyone, and Users local groups have Allow to access this computer via network. I take it the 'Act as part of the OS','Create a token object' and 'Replace a process level token' rights are only for the account running the sshd service. > >> to which the DC is like 'dude, what the heck is sshd?' :) > This is not that simple. The actual authentication is done by SSH itself in > this case. Same as on *NIX. For THIS (or, more precisely, to craft auth token > which IS THE "user" in terms of OS access control) it needs certain privileges. > The details are in documentation I linked earlier, the next question about > using public keys with SSH. I take it the 'Act as part of the OS','Create a token object' and 'Replace a process level token' rights are only for the account running the sshd service. > >> I now have the cygwin service running in domain context so now I would >> somehow need to let the DC know whe is allowed to ssh to my server1. > By default, everyone will be allowed, and they will have only what rights they > have, as the actual access control is done by OS itself, once the user is > authenticated. > >> My domain account, although in local admins on the server is now failing >> authentication when trying to ssh. Which gets us back to the question what >> do I need for a DC to authenticate me? > Nothing more than what is stated in the FAQ entry. > I suggest starting from a new Cygwin install (stop and remove installed Cygwin > services and rename your existing installation out of the way) and recheck the > results. > Verbose logging from both client and server may give some insight, too. Here is what I get from the logs on the client when attempting to connect with WinSCP 17:04:05.612 -------------------------------------------------------------------------- 17:04:05.612 WinSCP Version 4.1.9 (Build 416) (OS 6.2.9200) 17:04:05.612 Login time: 22 July 2015 17:04:05 17:04:05.613 -------------------------------------------------------------------------- 17:04:05.613 Session name: sshserver 17:04:05.613 Host name: sshserver (Port: 22) 17:04:05.613 User name: contoso\testuser (Password: Yes, Key file: No) 17:04:05.613 Tunnel: No 17:04:05.613 Transfer Protocol: SFTP (SCP) 17:04:05.613 Ping type: -, Ping interval: 30 sec; Timeout: 15 sec 17:04:05.613 Proxy: none 17:04:05.613 SSH protocol version: 2; Compression: No 17:04:05.613 Bypass authentication: No 17:04:05.613 Try agent: Yes; Agent forwarding: No; TIS/CryptoCard: No; KI: Yes; GSSAPI: No 17:04:05.613 Ciphers: aes,blowfish,3des,WARN,arcfour,des; Ssh2DES: No 17:04:05.613 SSH Bugs: -,-,-,-,-,-,-,- 17:04:05.613 SFTP Bugs: -,- 17:04:05.613 Return code variable: Autodetect; Lookup user groups: Yes 17:04:05.613 Shell: default, EOL: 0 17:04:05.613 Clear aliases: Yes, Unset nat.vars: Yes, Resolve symlinks: Yes 17:04:05.613 LS: ls -la, Ign LS warn: Yes, Scp1 Comp: No 17:04:05.613 Local directory: default, Remote directory: home, Update: No, Cache: Yes 17:04:05.613 Cache directory changes: Yes, Permanent: Yes 17:04:05.613 DST mode: 1 17:04:05.613 -------------------------------------------------------------------------- 17:04:05.644 Looking up host "sshserver" 17:04:05.645 Connecting to 159.x.x.x port 22 17:04:05.649 Waiting for the server to continue with the initialisation 17:04:05.649 Detected network event 17:04:05.693 Detected network event 17:04:05.693 Server version: SSH-2.0-OpenSSH_6.8 17:04:05.693 We claim version: SSH-2.0-WinSCP_release_4.1.9 17:04:05.693 SSPI: acquired credentials for: testuser AT contoso DOT com 17:04:05.693 Constructed service principal name 'host/sshserver' 17:04:05.693 Enabling GSSKEX for this target 17:04:05.694 Using SSH protocol version 2 17:04:05.694 Waiting for the server to continue with the initialisation 17:04:05.708 Detected network event 17:04:05.708 Doing Diffie-Hellman group exchange 17:04:05.708 Waiting for the server to continue with the initialisation 17:04:05.720 Detected network event 17:04:05.720 Doing Diffie-Hellman key exchange with hash SHA-1 17:04:05.760 Waiting for the server to continue with the initialisation 17:04:05.768 Detected network event 17:04:05.821 Host key fingerprint is: 17:04:05.952 ssh-rsa 2048 eb:74:f2:52:b1:08:e9:25:11:9a:e3:e7:b0:94:74:18 17:04:05.952 Initialised AES-256 SDCTR client->server encryption 17:04:05.952 Initialised HMAC-SHA1 client->server MAC algorithm 17:04:05.952 Initialised AES-256 SDCTR server->client encryption 17:04:05.952 Initialised HMAC-SHA1 server->client MAC algorithm 17:04:05.952 Waiting for the server to continue with the initialisation 17:04:05.966 Detected network event 17:04:05.966 Using username "CONTOSO\TESTUSER". 17:04:05.969 Waiting for the server to continue with the initialisation 17:04:05.976 Detected network event 17:04:05.976 Waiting for the server to continue with the initialisation 17:04:05.977 Detected network event 17:04:05.977 Keyboard-interactive authentication refused 17:04:05.977 Prompt (6, SSH password, , &Password: ) 17:04:05.977 Using stored password. 17:04:05.979 Sent password 17:04:05.979 Waiting for the server to continue with the initialisation 17:04:06.015 Detected network event 17:04:06.015 Access denied 17:04:06.017 Access denied 17:04:06.017 Prompt (6, SSH password, , &Password: ) 17:05:19.693 Disconnected: Unable to authenticate 17:05:19.705 (ESshFatal) Connection has been unexpectedly closed. Server sent command exit status 0. 17:05:19.705 Authentication log (see session log for details): 17:05:19.705 Using username "CONTOSO\TESTUSER". 17:05:19.705 Access denied. 17:05:19.706 17:05:19.706 Authentication failed. On the server's end it looks a bit puzzling when looking in the logs. In the security log it looks like it's my CONTOSONET\CYG_Service account was trying to log on. Also in the system log the testuser account ntlm account name looks strange with multiple back-slashes in it. Mind the accounts are in diferent domains although there is mutual trust between them. The're in the same forest. ___________________________________________________________ The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: NOUSER Source Workstation: SSHSERVER Error Code: 0xC0000064 ============================================================================= An account failed to log on. Subject: Security ID: CONTOSONET\CYG_SERVICE Account Name: CYGSERVICE Account Domain: CONTOSONET Logon ID: 0x1EF0F8A Logon Type: 2 Account For Which Logon Failed: Security ID: NULL SID Account Name: NOUSER Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC0000064 Process Information: Caller Process ID: 0x6d0 Caller Process Name: C:\cygwin\usr\sbin\sshd.exe Network Information: Workstation Name: SSHSERVER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. ============================================================================================================================ A privileged service was called. Subject: Security ID: SYSTEM Account Name: SSHSERVER$ Account Domain: CONTOSONET Logon ID: 0x3E7 Service: Server: Security Account Manager Service Name: Security Account Manager Process: Process ID: 0x1f0 Process Name: C:\Windows\System32\lsass.exe Service Request Information: Privileges: SeTcbPrivilege sshd: PID 3108: Invalid user CONTOSO\\TESTUSER from 159.x.x.x sshd: PID 3108: input_userauth_request: invalid user CONTOSO\\\\TESTUSER [preauth] sshd: PID 3108: Failed password for invalid user CONTOSO\\TESTUSER from 159.x.x.x port 59652 ssh2 sshd: PID 3108: error: Received disconnect from 159.x.x.x: 13: Unable to authenticate [preauth] sshd: PID 3108: Disconnected from 159.x.x.x [preauth] sshd: PID 3108: error: mm_request_receive: socket closed >>>> and how exactly did I screwed up my setup if I can actually access the >>>> server with a domain user account no problem? >>> On that, I'm surprized. >> Maybe a bug then? > Depends, what exactly was the state. But I'm not concerned. > There's very few narrow use cases left for having passwd/group files around > that it is better to just get rid of them. > Because: For this test I reinstalled without creating the passwd/group files to no avail. >>> /etc/passwd/group has nothing to do with "access control". >>> The files were only used to convert Windows to Cygwin names (and supply other >>> Cygwin-specific information), on the presumption that there will never be too >>> much of it. This is now done on the fly, allowing to deploy Cygwin in large >>> domains. > -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple