Free Downloads, Community Forum,
FAQs and Developer Resources


Make /Tools Your Home | Link to us

Today's posts | Posts since last visit | Most Active Topics

All Forums Register Login Search Subscriptions My Profile Inbox
Tool Warehouse FAQs Resources Help Member List Address Book Logout

passwordless ssh

 
Logged in as: Guest
Users viewing this topic: none
  Printable Version
All Forums >> [SFU / Interix / SUA Technology] >> SFU / Interix - Getting Started >> passwordless ssh Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
passwordless ssh - Mar. 7, '04, 1:32:10 PM   
Miles

 

Posts: 18
Joined: Mar. 7, '04,
Status: offline
Hi,

I realise there are a couple of other threads on this topic, but the advice hasn' t helped.

- the Win2k/Interix box is a 2KServer and an Active Directory domain controller (machine name " toaster" , domain " parkhouse" )
- I have used the net user command to set a home dir for a user as recommended and this is fine.
- I am testing a passwordless connection from a FreeBSD box (" muttley" )
- The following command is all I think I should need to set things up:

scp miles@muttley:.ssh/id_rsa.pub miles@toaster/.ssh/authorized_keys2

- then I would expect to simply do something like

ssh miles@toaster

This works just fine between FreeBSD/OpenBSD boxes.

From what I' m reading in the forum, I' m suspecting there' s something about domains that I' m missing maybe? (!)

I can' t recall whether I checked the setuid box during install. Should it be checked or unchecked for this purpose, and can I determine what state it is currently in?

Any pointers would be gratefully dereferenced.
Thanks
Miles
Post #: 1
RE: passwordless ssh - Mar. 8, '04, 9:16:36 AM   
Rodney

 

Posts: 3728
Joined: Jul. 9, '02,
From: /Tools lab
Status: offline
One thing I' m not clear about from your posting is:
The user " miles" : is the account part of the domain (parkhouse), or is it local to the machine (toaster).

From the BSD box to Interix after you make a connection giving a password, what is the output from the command ' id' ? This will tell us which userdatabase the user account is in (or at least defaulting to).

Then try connecting by specifying the fully qualified username in the ' id' output (i.e. toaster+miles) from the BSD box.

Let us know what happens please.
As you may have read in another thread I' m looking to clear up issues such as this for ssh with some code changes if possible.

You can adjust the setuid behavior with the registry key:
HLKM\SOFTWARE\Microsoft\Services for UNIX\EnableSetUidBinaries

with 1 (one) being on and 0 (zero) being off.

(in reply to Miles)
Post #: 2
RE: passwordless ssh - Mar. 8, '04, 9:35:43 AM   
Miles

 

Posts: 18
Joined: Mar. 7, '04,
Status: offline
Hi Rodney,

Thanks for getting back to me.

1. User " miles" is a domain account in the PARKHOUSE domain, not a local machine account.

2. The output of the id command is...
[Miles@toaster]~$ id
uid=197716(Miles) gid=197121(Domain Users) groups=197121(Domain Users), 65792(+Everyone), 131617(+Users), 197120(Domain Admins), 197721(PasswordPropDeny), 131616(+Administrators), 4095(CurrentSession), 66048(+LOCAL), 66820(+INTERACTIVE), 66827(+Authenticated Users)

3.
<<Then try connecting by specifying the fully qualified username in the ' id' output (i.e. toaster+miles) from the BSD box. >>
- I don' t follow. I don' t know what you mean by the + command here. Not one I' m familiar with at all and man ssh doesn' t enlighten.

I' ve tried ssh toaster+miles@toaster but I get permission denied when I supply the password.

Thanks
Miles

(in reply to Rodney)
Post #: 3
RE: passwordless ssh - Mar. 8, '04, 9:39:02 AM   
Miles

 

Posts: 18
Joined: Mar. 7, '04,
Status: offline
Rodney,

quote:

HLKM\SOFTWARE\Microsoft\Services for UNIX\EnableSetUidBinaries


is ON (1) on my server.

Miles

(in reply to Rodney)
Post #: 4
RE: passwordless ssh - Mar. 8, '04, 11:14:58 AM   
markfunk

 

Posts: 673
Joined: Mar. 31, '03,
Status: offline
Miles:
Because of Window' s Domains, user names have the form " domain\user" where ' domain' is the Window' s domain name. Interix supports both this syntax and the " domain+name" syntax.
For accounts defined on a local system, the " domain" part is just the computer name. Except when the local system is the domain controller itself. In this case " domain" is the actual domain name (in your case it' s " parkhouse" )

When you use a nonqualified username, like " user" , then Interix needs to fully qualify it. Normally it interprets this as a domain name first. If there is not domain name then it will try the local system account.
(The actual rules are a little more complicated).
If you want to specify the local account, you can either use the syntax " +user" or " computername+user" .

On a domain controller system (like toaster), there is no distinction between domain and local user. All accounts are part of the domain. In this case there is no local account (ie toaster+miles) - there is just " parkhouse+miles" .
Note: On a domain controller, the names " domain+name" , " +name" and " name" all refer to the same account- the domain account. This is only true on a domain controller.

(in reply to Miles)
Post #: 5
RE: passwordless ssh - Mar. 8, '04, 11:20:45 AM   
markfunk

 

Posts: 673
Joined: Mar. 31, '03,
Status: offline
where is the physical location of miles' home directory ?
Is it a local filesystem on toaster ? Or is it a network mounted filesystem ?

(in reply to Miles)
Post #: 6
RE: passwordless ssh - Mar. 8, '04, 12:20:44 PM   
Miles

 

Posts: 18
Joined: Mar. 7, '04,
Status: offline
markfunk,

Thanks for the background on domains and + symbol.

I' ve tested (not that I don' t believe you, but it' s always worth trying for yourself) and miles@toaster and parkhouse+miles@toaster are exactly the same.

The home dir for user miles, for testing purposes, is s:\miles where s is a partition on a local NTFS disk.

This is tested and working fine.

Thanks
Miles

(in reply to Miles)
Post #: 7
RE: passwordless ssh - Mar. 8, '04, 1:46:51 PM   
markfunk

 

Posts: 673
Joined: Mar. 31, '03,
Status: offline
But is s: a drive letter you assigned directly to the filesystem (ie via Disk Management gui) or did you connect it via the network by " net use s: ..." or using Explorer->Tools->Map Network Drive" ?

Only by assigning the drive letter directly to the hardware is is considered " a local filesystem" .

I suspect for sshd to work (ie be able to read the ~/.ssh directory and sub-files) these files have to be connected locally.

(in reply to Miles)
Post #: 8
RE: passwordless ssh - Mar. 8, '04, 1:51:57 PM   
Miles

 

Posts: 18
Joined: Mar. 7, '04,
Status: offline
markfunk,

S is definitely a local disk. Computer Management/Logical Drives reports it as " Local Disk" .

Miles

(in reply to markfunk)
Post #: 9
RE: passwordless ssh - Mar. 8, '04, 1:54:23 PM   
Miles

 

Posts: 18
Joined: Mar. 7, '04,
Status: offline
markfunk,

If it helps, a known_hosts has been happily created in the s:\miles\.ssh directory (I' m pretty sure I actually created the .ssh directory manually, but I certainly didn' t make the known_hosts file).

Miles

(in reply to markfunk)
Post #: 10
RE: passwordless ssh - Mar. 8, '04, 1:54:46 PM   
markfunk

 

Posts: 673
Joined: Mar. 31, '03,
Status: offline
ok, thanks. Just had to be sure.

(in reply to Miles)
Post #: 11
RE: passwordless ssh - Mar. 9, '04, 12:54:42 AM   
markfunk

 

Posts: 673
Joined: Mar. 31, '03,
Status: offline
I'm not an ssh expert. But what I did was:

- create an account "mark" on my OpenBSD 3.2 system.
- create a local account on my Windows system (win+mark).
- as mark on OpenBSD, run "ssh_keygen -t rsa" on my UNIX box (OpenBSD 3.2)
- took the ~/.ssh/id_rsa.pub file from OpenBSD and appended it to the ~win+mark/.ssh/authorized_keys file on the Interix/Windows system.
- make sure sshd is running on "win" system.
- Then, while logged into OpenBSD as "mark", typed: "ssh -l win+mark win".

This started a session on the window's system without asking for a password.

(in reply to markfunk)
Post #: 12
RE: passwordless ssh - plot thickens... - Mar. 9, '04, 8:20:06 AM   
Miles

 

Posts: 18
Joined: Mar. 7, '04,
Status: offline
Ok, so it is possible - just a case of working out what's different on my setup...

I stopped my sshd demon and ran it as sshd -de which sends debugging output to stderr.

On attempting the connection the most interesting part of the output is:

debug1: trying public key file /dev/fs/S/miles/.ssh/authorized_keys
Authentication refused: bad ownership or modes for file /dev/fs/S/miles/.ssh/authorized_keys

So sshd is finding the correct home dir for the user.

ls -l output:

1. s:\miles itself

drwxrwxrwx 1 +Administrators Domain Users 0 Mar 9 08:40 miles

2. contents of s:\miles

total 2
-rw------- 1 Miles Domain Users 368 Mar 9 08:46 .bash_history
drwxrwxrwx 1 +Administrators Domain Users 0 Mar 9 08:42 .ssh
-rwxrwxrwx 1 +Administrators Domain Users 21 Mar 8 17:15 test.txt

3. contents of .ssh

total 1
-rwxrwxrwx 1 +Administrators Domain Users 239 Mar 9 08:50 authorized_keys

Does this make sense to anyone? Is it a red herring? Anyone got any ideas?

Thanks
Miles

(in reply to markfunk)
Post #: 13
RE: passwordless ssh - plot thickens... - Mar. 9, '04, 8:39:46 AM   
steveh

 

Posts: 195
Joined: Jan. 23, '04,
Status: offline
Yep you have too many permissions on the files and sshd will ignore it. Here's what I have:
bash-2.05b$ pwd
/dev/fs/C/SFU/usr/home/steveh

bash-2.05b$ ls -la
total 1101
drwxr-xr-x  1 steveh  +wheel       0 Mar  7 13:12 .
drwxr-xr-x  1 root    +wheel       0 Jan 24 03:46 ..
drwx------  1 steveh  +wheel       0 Mar  5 23:18 .ssh

bash-2.05b$ ls -la
total 130
drwx------  1 steveh  +wheel      0 Mar  5 23:18 .
drwxr-xr-x  1 steveh  +wheel      0 Mar  7 13:12 ..
-rw-r--r--  1 steveh  +wheel   1077 Mar  5 23:18 authorized_keys2
-rw-------  1 steveh  +wheel    672 Mar  5 23:18 id_dsa
-rw-r--r--  1 steveh  +wheel  63995 Mar  7 19:17 known_hosts
-rw-r--r--  1 steveh  +wheel      0 Mar  5 23:18 known_hosts2

(in reply to Miles)
Post #: 14
RE: passwordless ssh - plot thickens... - Mar. 9, '04, 9:06:25 AM   
Rodney

 

Posts: 3728
Joined: Jul. 9, '02,
From: /Tools lab
Status: offline
Miles:
Steve's permissions and ownership look right.
You want ownership of these files/directories to be you.
For security, if these aren't owned by you then that means
someone else has control of the files than you which is security
dangerous. Similarly with the file permissions: if anyone (the
other bits) or even the group can write to the file it means you
don't have control of the files enough to be counted secure.

If you ever use a ".rhosts" file the same sort of security is
looked for: right ownership with tight permissions. Actually
going tighter for ".rhosts" (to 600) is even better.

(in reply to steveh)
Post #: 15
RE: passwordless ssh - plot thickens... - Mar. 9, '04, 10:27:23 AM   
Miles

 

Posts: 18
Joined: Mar. 7, '04,
Status: offline
Thanks, I'll give it a go later on (and report back).

One thing I notice is that Steve has +wheel as a group. This makes me ask what would be good practice for creating groups on the windows box etc which will make these tasks (and other stuff) more manageable. How much of the user/group stuff is case insensitive, for example?

Thanks
Miles

(in reply to steveh)
Post #: 16
RE: passwordless ssh - plot thickens... - Mar. 9, '04, 10:35:27 AM   
steveh

 

Posts: 195
Joined: Jan. 23, '04,
Status: offline
My wheel group is actually just Administators renamed so that portability of scripts is maximised.

(in reply to Miles)
Post #: 17
RE: passwordless ssh - plot thickens... - Mar. 9, '04, 3:12:16 PM   
Miles

 

Posts: 18
Joined: Mar. 7, '04,
Status: offline
All is working, thanks. It was a permissions issue.

Virtual beers all round for everyone for their input.

Miles

(in reply to steveh)
Post #: 18
RE: passwordless ssh - plot thickens... - Mar. 9, '04, 3:28:48 PM   
Rodney

 

Posts: 3728
Joined: Jul. 9, '02,
From: /Tools lab
Status: offline
Speaking of beer!

The libcrypt sources/binaries distributed here for 3.0
(you can use them for 3.5 too) are the same ones used
in the 3.5 distribution for the updated libcrypt. Just
so people know you are beholden to the "BEER-WARE LICENSE".
"THE BEER-WARE LICENSE" (Revision 42):
<phk@login.dknet.dk> wrote this file.  As long as you retain this notice you
can do whatever you want with this stuff. If we meet some day, and you think
this stuff is worth it, you can buy me a beer in return.   Poul-Henning Kamp


It's one of the best licences around. Of course Mr. Kamp would prefer
real beer

(in reply to Miles)
Post #: 19
RE: passwordless ssh - plot thickens... - Mar. 11, '04, 7:21:08 AM   
eyebear

 

Posts: 8
Joined: Jan. 22, '04,
From: Germany
Status: offline
quote:

ORIGINAL: steveh

My wheel group is actually just Administators renamed so that portability of scripts is maximised.


wheel...something is going round in my thoughts

I'm not happy how the installation process/setup handles the user&home question:
half(*) of the problems result from the lack of missing user home's and wrong permissions and groups. Also the question of special NT-rights is hidden in the help file, f.e. SeBackupPrivilege or SeRestorePrivilege are needed for sfu-users. In the help file these rights are mentioned as "SE_BACKUP, SE_RESTORE" whats completely wrong, because nt is strictly cAsE-SeNsItIvE in rights.

What would be the best way to get rid of these annoyances? Wouldn't it be better to create a local passwd file in /etc like "hosts@ -> /dev/fs/C/WINNT/system32/drivers/etc/hosts"?
Similar with the groups.

Is password synchronization the answer? I thought, passwd-sync is only needed in NIS environments, and nis is...see below.


Ok. 7 hours from now on to go for a good beer.
Anyone else who want's a Staropramen?

Andreas



(*) The second half is nfs. The third half is nis...

(in reply to steveh)
Post #: 20
Page:   [1] 2   next >   >>
All Forums >> [SFU / Interix / SUA Technology] >> SFU / Interix - Getting Started >> passwordless ssh Page: [1] 2   next >   >>
Jump to:





New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts


Search All Forums -

Advanced search


SPONSORS



Forum Software © ASPPlayground.NET Advanced Edition 2.5 ANSI

0.094