Re: Cygwin ssh and Windows authentication
On 2015-07-22 23:46, Andrey Repin wrote: Greetings, Jarek! So why are they not needed as your comment doesn't really explain that Read 1.7.35 changelog. In short, username resolution was completely reworked, thanks to Corinna, and Cygwin now directly address domain controllers for it. OK so it addresses DCs to check some settings or priviliges. I don't suppose it just asks 'hey DS, can contoso\johnd access sshd on server1?' Indirectly, that can be done, i.e., by including a user in SSH group and allow only DOMAIN+SSH group to authorize on server. I assume the group name is arbitrary and can be named anything. Of course. I have a generic RemoteUsers group for all users that allowed remote access (VPN, SSH, etc.) I went thrugh local rights on my sshserver and I see the Everyone, and Users local groups have Allow to access this computer via network. I take it the 'Act as part of the OS','Create a token object' and 'Replace a process level token' rights are only for the account running the sshd service. Yes, these are only used by service itself, and not propagated to the users connected. Verbose logging from both client and server may give some insight, too. Here is what I get from the logs on the client when attempting to connect with WinSCP Try using only username to login. Without domain prefix. And disable other auth mechanics, while you are testing namely I see it trying GSSAPI, which wouldn't work unless explicitly configured and allowed. Please attach long listings as files or provide links to pastebin service of your choice. Hi Andrey, Just for an update I deployed ssh access using the passwd file. I found it works fine as long as the user connecting is a member of local admins. Otherwise users are not able to connect. Looks like this may be a bug after all. Best, Jarek -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: Cygwin ssh and Windows authentication
On 2015-07-22 23:46, Andrey Repin wrote: Greetings, Jarek! So why are they not needed as your comment doesn't really explain that Read 1.7.35 changelog. In short, username resolution was completely reworked, thanks to Corinna, and Cygwin now directly address domain controllers for it. OK so it addresses DCs to check some settings or priviliges. I don't suppose it just asks 'hey DS, can contoso\johnd access sshd on server1?' Indirectly, that can be done, i.e., by including a user in SSH group and allow only DOMAIN+SSH group to authorize on server. I assume the group name is arbitrary and can be named anything. Of course. I have a generic RemoteUsers group for all users that allowed remote access (VPN, SSH, etc.) I went thrugh local rights on my sshserver and I see the Everyone, and Users local groups have Allow to access this computer via network. I take it the 'Act as part of the OS','Create a token object' and 'Replace a process level token' rights are only for the account running the sshd service. Yes, these are only used by service itself, and not propagated to the users connected. Verbose logging from both client and server may give some insight, too. Here is what I get from the logs on the client when attempting to connect with WinSCP Try using only username to login. Without domain prefix. And disable other auth mechanics, while you are testing namely I see it trying GSSAPI, which wouldn't work unless explicitly configured and allowed. Please attach long listings as files or provide links to pastebin service of your choice. Hi Andrey, As much as I don't like giving up, after lots of testing I found the only way I can get a domain user to access my server is by creating the /etc/passwd file and adding the users there. I don't understand the workings behind this but at least it works. Thank you very much for your help and patience. Due to tons of other things I have to work on now I wont be persuing this further but hey, Microsoft are yet again working on ssh. Maybe they suceed this time. All the best. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: Cygwin ssh and Windows authentication
On 2015-07-21 22:36, Andrey Repin wrote: Greetings, Jarek! So why are they not needed as your comment doesn't really explain that Read 1.7.35 changelog. In short, username resolution was completely reworked, thanks to Corinna, and Cygwin now directly address domain controllers for it. OK so it addresses DCs to check some settings or priviliges. I don't suppose it just asks 'hey DS, can contoso\johnd access sshd on server1?' Indirectly, that can be done, i.e., by including a user in SSH group and allow only DOMAIN+SSH group to authorize on server. I assume the group name is arbitrary and can be named anything. I went thrugh local rights on my sshserver and I see the Everyone, and Users local groups have Allow to access this computer via network. I take it the 'Act as part of the OS','Create a token object' and 'Replace a process level token' rights are only for the account running the sshd service. to which the DC is like 'dude, what the heck is sshd?' :) This is not that simple. The actual authentication is done by SSH itself in this case. Same as on *NIX. For THIS (or, more precisely, to craft auth token which IS THE user in terms of OS access control) it needs certain privileges. The details are in documentation I linked earlier, the next question about using public keys with SSH. I take it the 'Act as part of the OS','Create a token object' and 'Replace a process level token' rights are only for the account running the sshd service. I now have the cygwin service running in domain context so now I would somehow need to let the DC know whe is allowed to ssh to my server1. By default, everyone will be allowed, and they will have only what rights they have, as the actual access control is done by OS itself, once the user is authenticated. My domain account, although in local admins on the server is now failing authentication when trying to ssh. Which gets us back to the question what do I need for a DC to authenticate me? Nothing more than what is stated in the FAQ entry. I suggest starting from a new Cygwin install (stop and remove installed Cygwin services and rename your existing installation out of the way) and recheck the results. Verbose logging from both client and server may give some insight, too. Here is what I get from the logs on the client when attempting to connect with WinSCP 17:04:05.612 -- 17:04:05.612 WinSCP Version 4.1.9 (Build 416) (OS 6.2.9200) 17:04:05.612 Login time: 22 July 2015 17:04:05 17:04:05.613 -- 17:04:05.613 Session name: sshserver 17:04:05.613 Host name: sshserver (Port: 22) 17:04:05.613 User name: contoso\testuser (Password: Yes, Key file: No) 17:04:05.613 Tunnel: No 17:04:05.613 Transfer Protocol: SFTP (SCP) 17:04:05.613 Ping type: -, Ping interval: 30 sec; Timeout: 15 sec 17:04:05.613 Proxy: none 17:04:05.613 SSH protocol version: 2; Compression: No 17:04:05.613 Bypass authentication: No 17:04:05.613 Try agent: Yes; Agent forwarding: No; TIS/CryptoCard: No; KI: Yes; GSSAPI: No 17:04:05.613 Ciphers: aes,blowfish,3des,WARN,arcfour,des; Ssh2DES: No 17:04:05.613 SSH Bugs: -,-,-,-,-,-,-,- 17:04:05.613 SFTP Bugs: -,- 17:04:05.613 Return code variable: Autodetect; Lookup user groups: Yes 17:04:05.613 Shell: default, EOL: 0 17:04:05.613 Clear aliases: Yes, Unset nat.vars: Yes, Resolve symlinks: Yes 17:04:05.613 LS: ls -la, Ign LS warn: Yes, Scp1 Comp: No 17:04:05.613 Local directory: default, Remote directory: home, Update: No, Cache: Yes 17:04:05.613 Cache directory changes: Yes, Permanent: Yes 17:04:05.613 DST mode: 1 17:04:05.613 -- 17:04:05.644 Looking up host sshserver 17:04:05.645 Connecting to 159.x.x.x port 22 17:04:05.649 Waiting for the server to continue with the initialisation 17:04:05.649 Detected network event 17:04:05.693 Detected network event 17:04:05.693 Server version: SSH-2.0-OpenSSH_6.8 17:04:05.693 We claim version: SSH-2.0-WinSCP_release_4.1.9 17:04:05.693 SSPI: acquired credentials for: testu...@contoso.com 17:04:05.693 Constructed service principal name 'host/sshserver' 17:04:05.693 Enabling GSSKEX for this target 17:04:05.694 Using SSH protocol version 2 17:04:05.694 Waiting for the server to continue with the initialisation 17:04:05.708 Detected network event 17:04:05.708 Doing Diffie-Hellman group exchange 17:04:05.708 Waiting for the server to continue with the initialisation 17:04:05.720 Detected network event 17:04:05.720 Doing Diffie-Hellman key exchange with hash SHA-1 17:04:05.760 Waiting for the server to continue with the initialisation 17:04:05.768 Detected network event 17:04:05.821 Host key fingerprint is: 17:04:05.952 ssh-rsa 2048 eb:74:f2:52:b1:08:e9:25:11:9a:e3:e7:b0:94:74:18 17:04:05.952 Initialised AES-256 SDCTR client-server encryption
Re: Cygwin ssh and Windows authentication
Greetings, Jarek! So why are they not needed as your comment doesn't really explain that Read 1.7.35 changelog. In short, username resolution was completely reworked, thanks to Corinna, and Cygwin now directly address domain controllers for it. OK so it addresses DCs to check some settings or priviliges. I don't suppose it just asks 'hey DS, can contoso\johnd access sshd on server1?' Indirectly, that can be done, i.e., by including a user in SSH group and allow only DOMAIN+SSH group to authorize on server. I assume the group name is arbitrary and can be named anything. Of course. I have a generic RemoteUsers group for all users that allowed remote access (VPN, SSH, etc.) I went thrugh local rights on my sshserver and I see the Everyone, and Users local groups have Allow to access this computer via network. I take it the 'Act as part of the OS','Create a token object' and 'Replace a process level token' rights are only for the account running the sshd service. Yes, these are only used by service itself, and not propagated to the users connected. Verbose logging from both client and server may give some insight, too. Here is what I get from the logs on the client when attempting to connect with WinSCP Try using only username to login. Without domain prefix. And disable other auth mechanics, while you are testing namely I see it trying GSSAPI, which wouldn't work unless explicitly configured and allowed. Please attach long listings as files or provide links to pastebin service of your choice. -- With best regards, Andrey Repin Thursday, July 23, 2015 00:42:20 Sorry for my terrible english... -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: Cygwin ssh and Windows authentication
Greetings, Jarek! So why are they not needed as your comment doesn't really explain that Read 1.7.35 changelog. In short, username resolution was completely reworked, thanks to Corinna, and Cygwin now directly address domain controllers for it. OK so it addresses DCs to check some settings or priviliges. I don't suppose it just asks 'hey DS, can contoso\johnd access sshd on server1?' Indirectly, that can be done, i.e., by including a user in SSH group and allow only DOMAIN+SSH group to authorize on server. to which the DC is like 'dude, what the heck is sshd?' :) This is not that simple. The actual authentication is done by SSH itself in this case. Same as on *NIX. For THIS (or, more precisely, to craft auth token which IS THE user in terms of OS access control) it needs certain privileges. The details are in documentation I linked earlier, the next question about using public keys with SSH. I now have the cygwin service running in domain context so now I would somehow need to let the DC know whe is allowed to ssh to my server1. By default, everyone will be allowed, and they will have only what rights they have, as the actual access control is done by OS itself, once the user is authenticated. My domain account, although in local admins on the server is now failing authentication when trying to ssh. Which gets us back to the question what do I need for a DC to authenticate me? Nothing more than what is stated in the FAQ entry. I suggest starting from a new Cygwin install (stop and remove installed Cygwin services and rename your existing installation out of the way) and recheck the results. Verbose logging from both client and server may give some insight, too. and how exactly did I screwed up my setup if I can actually access the server with a domain user account no problem? On that, I'm surprized. Maybe a bug then? Depends, what exactly was the state. But I'm not concerned. There's very few narrow use cases left for having passwd/group files around that it is better to just get rid of them. Because: /etc/passwd/group has nothing to do with access control. The files were only used to convert Windows to Cygwin names (and supply other Cygwin-specific information), on the presumption that there will never be too much of it. This is now done on the fly, allowing to deploy Cygwin in large domains. -- With best regards, Andrey Repin Tuesday, July 21, 2015 23:27:07 Sorry for my terrible english... -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: Cygwin ssh and Windows authentication
On 2015-07-21 02:25, Andrey Repin wrote: Greetings, Jarek! Hey Andrey. So why are they not needed as your comment doesn't really explain that Read 1.7.35 changelog. In short, username resolution was completely reworked, thanks to Corinna, and Cygwin now directly address domain controllers for it. OK so it addresses DCs to check some settings or priviliges. I don't suppose it just asks 'hey DS, can contoso\johnd access sshd on server1?' to which the DC is like 'dude, what the heck is sshd?' :) I now have the cygwin service running in domain context so now I would somehow need to let the DC know whe is allowed to ssh to my server1. My domain account, although in local admins on the server is now failing authentication when trying to ssh. Which gets us back to the question what do I need for a DC to authenticate me? and how exactly did I screwed up my setup if I can actually access the server with a domain user account no problem? On that, I'm surprized. Maybe a bug then? Perhaps it's not how it works but it somehow works so again would be good to know why. It's only domain groups that don't work. Even if I set the service account to run under a domain account how would this fix my problem with group access assuming in current setup it works for domain users but not for groups? Again if not the /etc/passwd or /etc/group files then what controls the access? /etc/passwd/group has nothing to do with access control. The files were only used to convert Windows to Cygwin names (and supply other Cygwin-specific information), on the presumption that there will never be too much of it. This is now done on the fly, allowing to deploy Cygwin in large domains. P.S. I would appreciate, if you don't top-post. Yeah, sorry for my bad formatting. Working on that. Hope I'm not top-posting again. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
RE: Cygwin ssh and Windows authentication
From: Andrey Repin http://cygwin.com/faq/faq.html#faq.using.sshd-in-domain Any suggestions if you can't get your domain admin to create a generic cyg_server account for you? I suspect some people in corporate environments may have trouble getting domain admins to create a generic cyg_server domain account, especially one in the domain's Administrators group. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: Cygwin ssh and Windows authentication
Hi Andrey. So why are they not needed as your comment doesn't really explain that and how exactly did I screwed up my setup if I can actually access the server with a domain user account no problem? Perhaps it's not how it works but it somehow works so again would be good to know why. It's only domain groups that don't work. Even if I set the service account to run under a domain account how would this fix my problem with group access assuming in current setup it works for domain users but not for groups? Again if not the /etc/passwd or /etc/group files then what controls the access? On 2015-07-20 00:38, Andrey Repin wrote: Greetings, Jarek! I'm still quite new to Cygwin. I'm using the most recent version to install the ssh component on Server 2012R2 member server since it happened to become a requirement for certain users. The problem I have is to understand how to allow access for domain groups. I read the new version doesn't even need the /etc/passwd and /etc/group files any more but I couldn't see any explanation as to how to allow users or groups permission to ssh to the cygwin sshd server. Short version is that you need SSH server running under domain user. Which needs to be created prior to starting ssh-host-config. Running ssh-host-config answering yes to all questions except the one for using other user than the cyg_server I set up the ssh daemon. Not knowing any other way I created the /etc/passwd file with $mkpasswd -l /etc/passwd These files no longer need, but in your specific case, you actually just screwed your setup. which dumped all local users into the file. I successfully added a domain user with $mkpasswd -u [domain_user] -D [domain] /etc/passwd. That's not how it works. This worked just fine creating the /home/[user] folder I think although I haven't checked if it didn't get created earlier since I installed Cygwin under that user account. No idea though how to get this working without the use of /etc/passwd file. I then created the /etc/group file and added my selected domain user group to it. Unfortunately in this case members of the group cannot connect via ssh. I don't know if there is a way to list all users including group members with access permissions. $net user lists only users. I tried $net group but this seems to be limited to DCs only which I have no access to. Could someone please explain how can this be set up and what tellls Cygwin who can connect and who can't? http://cygwin.com/faq/faq.html#faq.using.sshd-in-domain It was there all the time. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: Cygwin ssh and Windows authentication
On 2015-07-20 19:52, Matt Seitz (matseitz) wrote: From: Andrey Repin http://cygwin.com/faq/faq.html#faq.using.sshd-in-domain Any suggestions if you can't get your domain admin to create a generic cyg_server account for you? I suspect some people in corporate environments may have trouble getting domain admins to create a generic cyg_server domain account, especially one in the domain's Administrators group. No chance for that I'm affraid. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: Cygwin ssh and Windows authentication
Greetings, Jarek! So why are they not needed as your comment doesn't really explain that Read 1.7.35 changelog. In short, username resolution was completely reworked, thanks to Corinna, and Cygwin now directly address domain controllers for it. and how exactly did I screwed up my setup if I can actually access the server with a domain user account no problem? On that, I'm surprized. Perhaps it's not how it works but it somehow works so again would be good to know why. It's only domain groups that don't work. Even if I set the service account to run under a domain account how would this fix my problem with group access assuming in current setup it works for domain users but not for groups? Again if not the /etc/passwd or /etc/group files then what controls the access? /etc/passwd/group has nothing to do with access control. The files were only used to convert Windows to Cygwin names (and supply other Cygwin-specific information), on the presumption that there will never be too much of it. This is now done on the fly, allowing to deploy Cygwin in large domains. P.S. I would appreciate, if you don't top-post. -- With best regards, Andrey Repin Tuesday, July 21, 2015 03:02:14 Sorry for my terrible english... -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: Cygwin ssh and Windows authentication
Greetings, Jarek! I'm still quite new to Cygwin. I'm using the most recent version to install the ssh component on Server 2012R2 member server since it happened to become a requirement for certain users. The problem I have is to understand how to allow access for domain groups. I read the new version doesn't even need the /etc/passwd and /etc/group files any more but I couldn't see any explanation as to how to allow users or groups permission to ssh to the cygwin sshd server. Short version is that you need SSH server running under domain user. Which needs to be created prior to starting ssh-host-config. Running ssh-host-config answering yes to all questions except the one for using other user than the cyg_server I set up the ssh daemon. Not knowing any other way I created the /etc/passwd file with $mkpasswd -l /etc/passwd These files no longer need, but in your specific case, you actually just screwed your setup. which dumped all local users into the file. I successfully added a domain user with $mkpasswd -u [domain_user] -D [domain] /etc/passwd. That's not how it works. This worked just fine creating the /home/[user] folder I think although I haven't checked if it didn't get created earlier since I installed Cygwin under that user account. No idea though how to get this working without the use of /etc/passwd file. I then created the /etc/group file and added my selected domain user group to it. Unfortunately in this case members of the group cannot connect via ssh. I don't know if there is a way to list all users including group members with access permissions. $net user lists only users. I tried $net group but this seems to be limited to DCs only which I have no access to. Could someone please explain how can this be set up and what tellls Cygwin who can connect and who can't? http://cygwin.com/faq/faq.html#faq.using.sshd-in-domain It was there all the time. -- With best regards, Andrey Repin Monday, July 20, 2015 01:35:00 Sorry for my terrible english... -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple