Web lists-archives.com

SSHD with key-based auth and non-cygwin user's home.




Greetings, All!

Though, I'd share in the light of recent SSH questions.
I wasn't using Cygwin SSHD all that much up until recently, when I had to do
some long work over a very slow connection, that wasn't capable of sustaining
an RDP session.
I had to use an existing SSHD server somebody conveniently installed a long
time ago, and integrated with the domain infrastructure.
Surprisingly, the server was in good shape and no hacks were involved in its
setup, but… but the domain setup itself was a problem. Users' home directories
are located on a network share, and setting "correct" permissions on the
~/.ssh was not quite an option.
Understandably, the only remaining option was to connect with password and let
SSH establish correct network session. However, I quickly got tired of typing
the password over and over again.
The solution came in the form of AuthorizedKeysFile SSHD setting.
The solution itself, step by step:

1. Create a directory in the /etc/ (I prefer /etc/ssh/pubkeys/ )
2. Set permissions to an equivalent of root:users 0750 (or root:root 0755)
3. In this directory, create files with names matching user logins.
4. Adjust ownership of the files to allow users to modify them.
5. Adjust your sshd_conf file to include this setting:

    AuthorizedKeysFile /etc/ssh/pubkeys/%u %h/.ssh/authorized_keys

6. For users' convenience, create symlinks from ~/.ssh/authorized_keys
pointing to the detached keys.

This setup can be used in any environment, where it is not feasible or even
possible to satisfy SSH' rather arbitrary requirements of the "security" of
the authorized_keys file within user's home directory.
On *NIX it is literally enough to set "pubkeys" directory to root:users 0750
to secure the files in place. Users will be unable to rename or delete files,
only change their contents.
On Windows, you have to be more careful with permissions inheritance, but
nothing that can't be done.


-- 
With best regards,
Andrey Repin
Friday, March 30, 2018 03:29:44

Sorry for my terrible english...