This is the mail archive of the cygwin@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Passwordless login with ssh


On Wed, Oct 15, 2003 at 04:51:58PM -0700, Andrew DeFaria wrote:
> Sorry, I searched the list and did not get a definitive answer. What I'm 
> trying to do is to secure things up a little bit around here. I would 
> like to use ssh. But I also want to allow valid users to ssh <remove> 
> <command> without being prompted for a password. I'm not sure this is 
> doable.
> 
> Reading from openssh-3.7.1p2-1.README I see
> 
>    Authentication to sshd is possible in one of two ways. You'll have
>    to decide before starting sshd!
> 
>    - If you want to authenticate via RSA and you want to login to that
>    machine to exactly one user account you can do so by running sshd
>    under that user account. You must change /etc/sshd_config to contain
>    the following:
> 
>    RSAAuthentication yes
> 
>    Moreover it's possible to use rhosts and/or rhosts with RSA
>    authentication by setting the following in sshd_config:
> 
>    RhostsAuthentication yes
>    RhostsRSAAuthentication yes
> 
> Seems to me that the above says I can only use RSA Authentication IFF 
> I'm only want to allow one username to be able to login. Or

You missed the part under "Important change since 2.9p2":

  "Since Cygwin is able to switch user context without password beginning
   with version 1.3.2, OpenSSH now allows to do so when it's running under
   a version >= 1.3.2. Keep in mind that `ntsec' has to be activated to
   allow that feature."

This is a bit too brief, I admit.  Actually, the account who may switch
user context without password needs "create a token object" privilege.
This is by default only the SYSTEM user.  So, running sshd under SYSTEM
account gives you what you want.  Except on 2003 Server.  There you'll
have to create a new account (say "sshd_srv", *not* "sshd") which is
part of the admins group and has the appropriate extra privileges

  "Create a token object"
  "Replace process level token"
  "Increase quotas"
  "Logon as a service"

>    The system account does of course own that user rights by default.
> 
>    Unfortunately, if you choose that way, you can only logon with NT
>    password authentification and you should change /etc/sshd_config to
>    contain the following:

Yeah, should be rewritten.

>    RhostsAuthentication no

Ugh.  Rhosts authentication is dropped entirerly since 3.7p1.  

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]