All Forums |
Register |
Login |
Search |
Subscriptions |
My Profile |
Inbox |
Tool Warehouse |
FAQs |
Resources |
Help |
Member List |
Address Book |
Logout |
|
|
passwordless ssh
|
Logged in as: Guest |
Users viewing this topic: none |
|
Login |
|
|
passwordless ssh - Mar. 7, '04, 1:32:10 PM
|
|
|
Miles
Posts: 18
Joined: Mar. 7, '04,
Status: offline
|
Hi,
I realise there are a couple of other threads on this topic, but the advice hasn' t helped.
- the Win2k/Interix box is a 2KServer and an Active Directory domain controller (machine name " toaster" , domain " parkhouse" )
- I have used the net user command to set a home dir for a user as recommended and this is fine.
- I am testing a passwordless connection from a FreeBSD box (" muttley" )
- The following command is all I think I should need to set things up:
scp miles@muttley:.ssh/id_rsa.pub miles@toaster/.ssh/authorized_keys2
- then I would expect to simply do something like
ssh miles@toaster
This works just fine between FreeBSD/OpenBSD boxes.
From what I' m reading in the forum, I' m suspecting there' s something about domains that I' m missing maybe? (!)
I can' t recall whether I checked the setuid box during install. Should it be checked or unchecked for this purpose, and can I determine what state it is currently in?
Any pointers would be gratefully dereferenced.
Thanks
Miles
|
|
|
RE: passwordless ssh - Mar. 8, '04, 9:16:36 AM
|
|
|
Rodney
Posts: 3728
Joined: Jul. 9, '02,
From: /Tools lab
Status: offline
|
One thing I' m not clear about from your posting is:
The user " miles" : is the account part of the domain (parkhouse), or is it local to the machine (toaster).
From the BSD box to Interix after you make a connection giving a password, what is the output from the command ' id' ? This will tell us which userdatabase the user account is in (or at least defaulting to).
Then try connecting by specifying the fully qualified username in the ' id' output (i.e. toaster+miles) from the BSD box.
Let us know what happens please.
As you may have read in another thread I' m looking to clear up issues such as this for ssh with some code changes if possible.
You can adjust the setuid behavior with the registry key:
HLKM\SOFTWARE\Microsoft\Services for UNIX\EnableSetUidBinaries
with 1 (one) being on and 0 (zero) being off.
|
|
|
RE: passwordless ssh - Mar. 8, '04, 9:35:43 AM
|
|
|
Miles
Posts: 18
Joined: Mar. 7, '04,
Status: offline
|
Hi Rodney,
Thanks for getting back to me.
1. User " miles" is a domain account in the PARKHOUSE domain, not a local machine account.
2. The output of the id command is...
[Miles@toaster]~$ id
uid=197716(Miles) gid=197121(Domain Users) groups=197121(Domain Users), 65792(+Everyone), 131617(+Users), 197120(Domain Admins), 197721(PasswordPropDeny), 131616(+Administrators), 4095(CurrentSession), 66048(+LOCAL), 66820(+INTERACTIVE), 66827(+Authenticated Users)
3.
<<Then try connecting by specifying the fully qualified username in the ' id' output (i.e. toaster+miles) from the BSD box. >>
- I don' t follow. I don' t know what you mean by the + command here. Not one I' m familiar with at all and man ssh doesn' t enlighten.
I' ve tried ssh toaster+miles@toaster but I get permission denied when I supply the password.
Thanks
Miles
|
|
|
RE: passwordless ssh - Mar. 8, '04, 9:39:02 AM
|
|
|
Miles
Posts: 18
Joined: Mar. 7, '04,
Status: offline
|
Rodney,
quote:
HLKM\SOFTWARE\Microsoft\Services for UNIX\EnableSetUidBinaries
is ON (1) on my server.
Miles
|
|
|
RE: passwordless ssh - Mar. 8, '04, 11:14:58 AM
|
|
|
markfunk
Posts: 673
Joined: Mar. 31, '03,
Status: offline
|
Miles:
Because of Window' s Domains, user names have the form " domain\user" where ' domain' is the Window' s domain name. Interix supports both this syntax and the " domain+name" syntax.
For accounts defined on a local system, the " domain" part is just the computer name. Except when the local system is the domain controller itself. In this case " domain" is the actual domain name (in your case it' s " parkhouse" )
When you use a nonqualified username, like " user" , then Interix needs to fully qualify it. Normally it interprets this as a domain name first. If there is not domain name then it will try the local system account.
(The actual rules are a little more complicated).
If you want to specify the local account, you can either use the syntax " +user" or " computername+user" .
On a domain controller system (like toaster), there is no distinction between domain and local user. All accounts are part of the domain. In this case there is no local account (ie toaster+miles) - there is just " parkhouse+miles" .
Note: On a domain controller, the names " domain+name" , " +name" and " name" all refer to the same account- the domain account. This is only true on a domain controller.
|
|
|
RE: passwordless ssh - Mar. 8, '04, 11:20:45 AM
|
|
|
markfunk
Posts: 673
Joined: Mar. 31, '03,
Status: offline
|
where is the physical location of miles' home directory ?
Is it a local filesystem on toaster ? Or is it a network mounted filesystem ?
|
|
|
RE: passwordless ssh - Mar. 8, '04, 12:20:44 PM
|
|
|
Miles
Posts: 18
Joined: Mar. 7, '04,
Status: offline
|
markfunk,
Thanks for the background on domains and + symbol.
I' ve tested (not that I don' t believe you, but it' s always worth trying for yourself) and miles@toaster and parkhouse+miles@toaster are exactly the same.
The home dir for user miles, for testing purposes, is s:\miles where s is a partition on a local NTFS disk.
This is tested and working fine.
Thanks
Miles
|
|
|
RE: passwordless ssh - Mar. 8, '04, 1:46:51 PM
|
|
|
markfunk
Posts: 673
Joined: Mar. 31, '03,
Status: offline
|
But is s: a drive letter you assigned directly to the filesystem (ie via Disk Management gui) or did you connect it via the network by " net use s: ..." or using Explorer->Tools->Map Network Drive" ?
Only by assigning the drive letter directly to the hardware is is considered " a local filesystem" .
I suspect for sshd to work (ie be able to read the ~/.ssh directory and sub-files) these files have to be connected locally.
|
|
|
RE: passwordless ssh - Mar. 8, '04, 1:51:57 PM
|
|
|
Miles
Posts: 18
Joined: Mar. 7, '04,
Status: offline
|
markfunk,
S is definitely a local disk. Computer Management/Logical Drives reports it as " Local Disk" .
Miles
|
|
|
RE: passwordless ssh - Mar. 8, '04, 1:54:23 PM
|
|
|
Miles
Posts: 18
Joined: Mar. 7, '04,
Status: offline
|
markfunk,
If it helps, a known_hosts has been happily created in the s:\miles\.ssh directory (I' m pretty sure I actually created the .ssh directory manually, but I certainly didn' t make the known_hosts file).
Miles
|
|
|
RE: passwordless ssh - Mar. 8, '04, 1:54:46 PM
|
|
|
markfunk
Posts: 673
Joined: Mar. 31, '03,
Status: offline
|
ok, thanks. Just had to be sure.
|
|
|
RE: passwordless ssh - Mar. 9, '04, 12:54:42 AM
|
|
|
markfunk
Posts: 673
Joined: Mar. 31, '03,
Status: offline
|
I'm not an ssh expert. But what I did was:
- create an account "mark" on my OpenBSD 3.2 system.
- create a local account on my Windows system (win+mark).
- as mark on OpenBSD, run "ssh_keygen -t rsa" on my UNIX box (OpenBSD 3.2)
- took the ~/.ssh/id_rsa.pub file from OpenBSD and appended it to the ~win+mark/.ssh/authorized_keys file on the Interix/Windows system.
- make sure sshd is running on "win" system.
- Then, while logged into OpenBSD as "mark", typed: "ssh -l win+mark win".
This started a session on the window's system without asking for a password.
|
|
|
RE: passwordless ssh - plot thickens... - Mar. 9, '04, 8:20:06 AM
|
|
|
Miles
Posts: 18
Joined: Mar. 7, '04,
Status: offline
|
Ok, so it is possible - just a case of working out what's different on my setup...
I stopped my sshd demon and ran it as sshd -de which sends debugging output to stderr.
On attempting the connection the most interesting part of the output is:
debug1: trying public key file /dev/fs/S/miles/.ssh/authorized_keys
Authentication refused: bad ownership or modes for file /dev/fs/S/miles/.ssh/authorized_keys
So sshd is finding the correct home dir for the user.
ls -l output:
1. s:\miles itself
drwxrwxrwx 1 +Administrators Domain Users 0 Mar 9 08:40 miles
2. contents of s:\miles
total 2
-rw------- 1 Miles Domain Users 368 Mar 9 08:46 .bash_history
drwxrwxrwx 1 +Administrators Domain Users 0 Mar 9 08:42 .ssh
-rwxrwxrwx 1 +Administrators Domain Users 21 Mar 8 17:15 test.txt
3. contents of .ssh
total 1
-rwxrwxrwx 1 +Administrators Domain Users 239 Mar 9 08:50 authorized_keys
Does this make sense to anyone? Is it a red herring? Anyone got any ideas?
Thanks
Miles
|
|
|
RE: passwordless ssh - plot thickens... - Mar. 9, '04, 8:39:46 AM
|
|
|
steveh
Posts: 195
Joined: Jan. 23, '04,
Status: offline
|
Yep you have too many permissions on the files and sshd will ignore it. Here's what I have:
bash-2.05b$ pwd
/dev/fs/C/SFU/usr/home/steveh
bash-2.05b$ ls -la
total 1101
drwxr-xr-x 1 steveh +wheel 0 Mar 7 13:12 .
drwxr-xr-x 1 root +wheel 0 Jan 24 03:46 ..
drwx------ 1 steveh +wheel 0 Mar 5 23:18 .ssh
bash-2.05b$ ls -la
total 130
drwx------ 1 steveh +wheel 0 Mar 5 23:18 .
drwxr-xr-x 1 steveh +wheel 0 Mar 7 13:12 ..
-rw-r--r-- 1 steveh +wheel 1077 Mar 5 23:18 authorized_keys2
-rw------- 1 steveh +wheel 672 Mar 5 23:18 id_dsa
-rw-r--r-- 1 steveh +wheel 63995 Mar 7 19:17 known_hosts
-rw-r--r-- 1 steveh +wheel 0 Mar 5 23:18 known_hosts2
|
|
|
RE: passwordless ssh - plot thickens... - Mar. 9, '04, 9:06:25 AM
|
|
|
Rodney
Posts: 3728
Joined: Jul. 9, '02,
From: /Tools lab
Status: offline
|
Miles:
Steve's permissions and ownership look right.
You want ownership of these files/directories to be you.
For security, if these aren't owned by you then that means
someone else has control of the files than you which is security
dangerous. Similarly with the file permissions: if anyone (the
other bits) or even the group can write to the file it means you
don't have control of the files enough to be counted secure.
If you ever use a ".rhosts" file the same sort of security is
looked for: right ownership with tight permissions. Actually
going tighter for ".rhosts" (to 600) is even better.
|
|
|
RE: passwordless ssh - plot thickens... - Mar. 9, '04, 10:27:23 AM
|
|
|
Miles
Posts: 18
Joined: Mar. 7, '04,
Status: offline
|
Thanks, I'll give it a go later on (and report back).
One thing I notice is that Steve has +wheel as a group. This makes me ask what would be good practice for creating groups on the windows box etc which will make these tasks (and other stuff) more manageable. How much of the user/group stuff is case insensitive, for example?
Thanks
Miles
|
|
|
RE: passwordless ssh - plot thickens... - Mar. 9, '04, 10:35:27 AM
|
|
|
steveh
Posts: 195
Joined: Jan. 23, '04,
Status: offline
|
My wheel group is actually just Administators renamed so that portability of scripts is maximised.
|
|
|
New Messages |
No New Messages |
Hot Topic w/ New Messages |
Hot Topic w/o New Messages |
|
Locked w/ New Messages |
Locked w/o New Messages |
|
Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
|
|