Re: Cygwin ssh and Windows authentication

[Andrey Repin <anrdaemon at yandex dot ru>]

Greetings, Jarek!

>>>>> So why are they not needed as your comment doesn't really explain that
>>>> Read 1.7.35 changelog.
>>>> In short, username resolution was completely reworked, thanks to Corinna, and
>>>> Cygwin now directly address domain controllers for it.
>>> OK so it addresses DCs to check some settings or priviliges. I don't
>>> suppose it just asks 'hey DS, can contoso\johnd access sshd on server1?'
>> Indirectly, that can be done, i.e., by including a user in "SSH" group and
>> allow only "DOMAIN+SSH" group to authorize on server.
> I assume the group name is arbitrary and can be named anything.

Of course. I have a generic "RemoteUsers" group for all users that allowed
remote access (VPN, SSH, etc.)

> I went thrugh local rights on my sshserver and I see the Everyone, and 
> Users local groups have Allow to access this computer via network.
> I take it the 'Act as part of the OS','Create a token object' and 
> 'Replace a process level token' rights are only for the account running 
> the sshd service.

Yes, these are only used by service itself, and not propagated to the users
connected.

>> Verbose logging from both client and server may give some insight, too.

> Here is what I get from the logs on the client when attempting to 
> connect with WinSCP

Try using only username to login. Without domain prefix.
And disable other auth mechanics, while you are testing namely I see it trying
GSSAPI, which wouldn't work unless explicitly configured and allowed.

Please attach long listings as files or provide links to pastebin service of
your choice.


-- 
With best regards,
Andrey Repin
Thursday, July 23, 2015 00:42:20

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple