Cygwin and ssh - password auth. problem

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Cygwin and ssh - password auth. problem

Re Persina
Hello,
 I have cygwin running on a windows 2000 server, which is also a PDC.
I setup sshd in cygwin and I've been using it for some time to login
as administrator, both using the password and using public-key auth,
and it has been working great. I now need to have a regular user (a
member of the Domain User group) login using ssh. I'll call this user
"user1". I created the user in active directory, and synced cygwin's
passwd file with "mkpasswd -d > /etc/passwd". However, this does not
allow me to login over ssh as my new user, using the password I set.

 I try to ssh to the server as the user and I enter the password when
I am prompted by ssh, but it does not accept it; I get "Permission
denied, please try again.". I checked the windows event log, and it
says: "...sshd: PID:2588: Failed password for user1 from 10.0.0.2...".
If I upload my public key to ~user1/.ssh/authorized_keys, I can login.
I understand that is because ssh pub-key auth bypasses windows auth
altogether. Unfortunately, I cannot use pub-key auth for this
particular user.

 The only way I've found to make password-auth work, is to add the
user to the Administrators group. As soon as I do that, I can
successfully ssh to the server and succesfully login with the "user1"
user and its password. Then as soon as I remove the user from the
Administrators group, I can no longer login over ssh. Actually I've
found that adding this user to one of a variety of elevated-privledge
groups will allow him to login. Making the user a member of any one
of: "Server Operators", "Backup Operators", or "Domain Admin" will
allow the user to login over ssh with his password. The problem is
this user cannot have special permissions; he needs to be a standard
user/ Domain User. I tried making him a member of the local Users
group, but that had no effect.

 From the research I've done so far, I haven't found any good reason
why this shouldn't work. There should be a way to allow this user to
login with his password without him needing elevated privledges, yes?
Can someone please point me in the right direction?

 Thanks,
 RP

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Reply | Threaded
Open this post in threaded view
|

Re: Cygwin and ssh - password auth. problem

Igor Peshansky
On Fri, 4 Nov 2005, Re Persina wrote:

> Hello,
>  I have cygwin running on a windows 2000 server, which is also a PDC.
> I setup sshd in cygwin and I've been using it for some time to login
> as administrator, both using the password and using public-key auth,
> and it has been working great. I now need to have a regular user (a
> member of the Domain User group) login using ssh. I'll call this user
> "user1". I created the user in active directory, and synced cygwin's
> passwd file with "mkpasswd -d > /etc/passwd". However, this does not
> allow me to login over ssh as my new user, using the password I set.
>
>  I try to ssh to the server as the user and I enter the password when
> I am prompted by ssh, but it does not accept it; I get "Permission
> denied, please try again.". I checked the windows event log, and it
> says: "...sshd: PID:2588: Failed password for user1 from 10.0.0.2...".
> If I upload my public key to ~user1/.ssh/authorized_keys, I can login.
> I understand that is because ssh pub-key auth bypasses windows auth
> altogether. Unfortunately, I cannot use pub-key auth for this
> particular user.
>
>  The only way I've found to make password-auth work, is to add the
> user to the Administrators group. As soon as I do that, I can
> successfully ssh to the server and succesfully login with the "user1"
> user and its password. Then as soon as I remove the user from the
> Administrators group, I can no longer login over ssh. Actually I've
> found that adding this user to one of a variety of elevated-privledge
> groups will allow him to login. Making the user a member of any one
> of: "Server Operators", "Backup Operators", or "Domain Admin" will
> allow the user to login over ssh with his password. The problem is
> this user cannot have special permissions; he needs to be a standard
> user/ Domain User. I tried making him a member of the local Users
> group, but that had no effect.

Sounds like a permission problem.  Did you run "ssh-user-config" for that
user on the PDC?

>  From the research I've done so far, I haven't found any good reason
> why this shouldn't work. There should be a way to allow this user to
> login with his password without him needing elevated privledges, yes?
> Can someone please point me in the right direction?

You could try running sshd in verbose debug mode to see what messages you
get...  Also, a tool like "filemon" from SysInternals could help by
listing the files that sshd tries (and fails) to access...
HTH,
        Igor
--
                                http://cs.nyu.edu/~pechtcha/
      |\      _,,,---,,_ [hidden email]
ZZZzz /,`.-'`'    -.  ;-;;,_ [hidden email]
     |,4-  ) )-,_. ,\ (  `'-' Igor Pechtchanski, Ph.D.
    '---''(_/--'  `-'\_) fL a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!

If there's any real truth it's that the entire multidimensional infinity
of the Universe is almost certainly being run by a bunch of maniacs. /DA

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Reply | Threaded
Open this post in threaded view
|

Re: Cygwin and ssh - password auth. problem

Corinna Vinschen-2
In reply to this post by Re Persina
On Nov  4 17:02, Re Persina wrote:
> Hello,
>  I have cygwin running on a windows 2000 server, which is also a PDC.
> I setup sshd in cygwin and I've been using it for some time to login
> as administrator, both using the password and using public-key auth,
> and it has been working great. I now need to have a regular user (a
> member of the Domain User group) login using ssh. I'll call this user
> "user1". I created the user in active directory, and synced cygwin's
> passwd file with "mkpasswd -d > /etc/passwd". However, this does not
> allow me to login over ssh as my new user, using the password I set.

I think you have to allow logon of this user explicitely.  Normal
users don't have logon rights on the domain controller by default,
AFAIK.


Corinna

--
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/