X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:reply-to:message-id:to:subject :mime-version:content-type:content-transfer-encoding; q=dns; s= default; b=j+TyliPANMjLygPBxHCe8sSKWxs8d7devNtR09ynTtcbT9n3GhisZ +gboBcJjIyyHh3wtEXv5KnUyZ/2VSruJ11ObfhzmN+7HZBV/VIvYd8YyEOF8Yy61 vi82DpuDgGUwxFGNY0ZMnHhjV7BIM65RwrstTaueSioVADkI/B2RIU= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:reply-to:message-id:to:subject :mime-version:content-type:content-transfer-encoding; s=default; bh=W6Skd9nfVzcXSBF+gKBS76MFvR4=; b=fPjFtE9Vjhzc4jTQzEdJ3QBbWNal beaYTve8Zlnz5SP70KcswBvqIX/Q/VpoBzC2nkUnLE9Bc2RQTaUFOl7BBevcq2t6 bcqOkyIblKwt/oOz4sb8VEmAdoKPRwPZ2HAB/ONSbHM4l9MptXJs9zznPbm50GPb 6/ls+xL3ma6WgIY= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-0.7 required=5.0 tests=BAYES_00,FREEMAIL_FROM,KAM_THEBAT,MIME_BASE64_BLANKS,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=no version=3.3.2 spammy=all, tired, 0755, yandexru X-HELO: forward100p.mail.yandex.net Authentication-Results: smtp1p.mail.yandex.net; dkim=pass header.i=@yandex.ru Date: Fri, 30 Mar 2018 05:01:05 +0300 From: Andrey Repin Reply-To: cygwin AT cygwin DOT com Message-ID: <724806361.20180330050105@yandex.ru> To: All Subject: SSHD with key-based auth and non-cygwin user's home. MIME-Version: 1.0 Content-Type: text/plain; charset=windows-1251 X-IsSubscribed: yes Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by delorie.com id w2U25Lpn022551 Greetings, All! Though, I'd share in the light of recent SSH questions. I wasn't using Cygwin SSHD all that much up until recently, when I had to do some long work over a very slow connection, that wasn't capable of sustaining an RDP session. I had to use an existing SSHD server somebody conveniently installed a long time ago, and integrated with the domain infrastructure. Surprisingly, the server was in good shape and no hacks were involved in its setup, but… but the domain setup itself was a problem. Users' home directories are located on a network share, and setting "correct" permissions on the ~/.ssh was not quite an option. Understandably, the only remaining option was to connect with password and let SSH establish correct network session. However, I quickly got tired of typing the password over and over again. The solution came in the form of AuthorizedKeysFile SSHD setting. The solution itself, step by step: 1. Create a directory in the /etc/ (I prefer /etc/ssh/pubkeys/ ) 2. Set permissions to an equivalent of root:users 0750 (or root:root 0755) 3. In this directory, create files with names matching user logins. 4. Adjust ownership of the files to allow users to modify them. 5. Adjust your sshd_conf file to include this setting: AuthorizedKeysFile /etc/ssh/pubkeys/%u %h/.ssh/authorized_keys 6. For users' convenience, create symlinks from ~/.ssh/authorized_keys pointing to the detached keys. This setup can be used in any environment, where it is not feasible or even possible to satisfy SSH' rather arbitrary requirements of the "security" of the authorized_keys file within user's home directory. On *NIX it is literally enough to set "pubkeys" directory to root:users 0750 to secure the files in place. Users will be unable to rename or delete files, only change their contents. On Windows, you have to be more careful with permissions inheritance, but nothing that can't be done. -- With best regards, Andrey Repin Friday, March 30, 2018 03:29:44 Sorry for my terrible english... -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple