On Fri, 4 Nov 2005, Re Persina wrote:
> Hello,
> I have cygwin running on a windows 2000 server, which is also a PDC.
> I setup sshd in cygwin and I've been using it for some time to login
> as administrator, both using the password and using public-key auth,
> and it has been working great. I now need to have a regular user (a
> member of the Domain User group) login using ssh. I'll call this user
> "user1". I created the user in active directory, and synced cygwin's
> passwd file with "mkpasswd -d > /etc/passwd". However, this does not
> allow me to login over ssh as my new user, using the password I set.
>
> I try to ssh to the server as the user and I enter the password when
> I am prompted by ssh, but it does not accept it; I get "Permission
> denied, please try again.". I checked the windows event log, and it
> says: "...sshd: PID:2588: Failed password for user1 from 10.0.0.2...".
> If I upload my public key to ~user1/.ssh/authorized_keys, I can login.
> I understand that is because ssh pub-key auth bypasses windows auth
> altogether. Unfortunately, I cannot use pub-key auth for this
> particular user.
>
> The only way I've found to make password-auth work, is to add the
> user to the Administrators group. As soon as I do that, I can
> successfully ssh to the server and succesfully login with the "user1"
> user and its password. Then as soon as I remove the user from the
> Administrators group, I can no longer login over ssh. Actually I've
> found that adding this user to one of a variety of elevated-privledge
> groups will allow him to login. Making the user a member of any one
> of: "Server Operators", "Backup Operators", or "Domain Admin" will
> allow the user to login over ssh with his password. The problem is
> this user cannot have special permissions; he needs to be a standard
> user/ Domain User. I tried making him a member of the local Users
> group, but that had no effect.
Sounds like a permission problem. Did you run "ssh-user-config" for that
user on the PDC?
> From the research I've done so far, I haven't found any good reason
> why this shouldn't work. There should be a way to allow this user to
> login with his password without him needing elevated privledges, yes?
> Can someone please point me in the right direction?
You could try running sshd in verbose debug mode to see what messages you
get... Also, a tool like "filemon" from SysInternals could help by
listing the files that sshd tries (and fails) to access...
HTH,
Igor
--
http://cs.nyu.edu/~pechtcha/
|\ _,,,---,,_ [EMAIL PROTECTED]
ZZZzz /,`.-'`' -. ;-;;,_ [EMAIL PROTECTED]
|,4- ) )-,_. ,\ ( `'-' Igor Pechtchanski, Ph.D.
'---''(_/--' `-'\_) fL a.k.a JaguaR-R-R-r-r-r-.-.-. Meow!
If there's any real truth it's that the entire multidimensional infinity
of the Universe is almost certainly being run by a bunch of maniacs. /DA
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
