Subscribe

ssh as a domainuser to filer / rsa pubkey in cygwin

Hi all,

my filer is in the windows domain WIN.

I can connect from cygwin with "ssh -l WIN\\user filer" - this works.

Now I want to generate and distribute my RSA key to filer with the following steps:

## generate the rsa key (using an empty passphrase)

ssh-keygen -t rsa

## copy the generated rsa key to my filer (via nfs mount)

cp -v  ~/.ssh/id_rsa.pub  /filer/etc/sshd/user/.ssh/authorized_keys

Now when I try to login with "ssh -v -l WIN\\user filer" or "ssh -i id_rsa.pub -v -l WIN\\user filer"  I cannot connect with my "empty passphrase",

I have to type in my password.

Any ideas?

Thanks,

Arda

Re: ssh as a domainuser to filer / rsa pubkey in cygwin

Does it work if you use “ssh -l user” (skip domain part)?

Re: ssh as a domainuser to filer / rsa pubkey in cygwin

yes, but I get:

filer> help

Permission denied, user XXX does not have access to ?

filer> Thu Aug 23 13:23:35 CEST [filer: useradmin.unauthorized.user:warning]: User 'XXX' denied access - missing required capability: 'cli-?'

But if I connect with WIN\user and enter the password I have access to all commands.

Re: ssh as a domainuser to filer / rsa pubkey in cygwin

Have you tried to put key in directory with full name, i.e. sshd/WIN\user/.ssh/authorized_keys?

Note that backslash is actual part of name.

Re: ssh as a domainuser to filer / rsa pubkey in cygwin

Yes, sure I tried that.

No help

Re: ssh as a domainuser to filer / rsa pubkey in cygwin

Arda Oral wrote:

yes, but I get:

filer> help

Permission denied, user XXX does not have access to ?

filer> Thu Aug 23 13:23:35 CEST [filer: useradmin.unauthorized.user:warning]: User 'XXX' denied access - missing required capability: 'cli-?'

But if I connect with WIN\user and enter the password I have access to all commands.

Have you granted the cli- capabilities to the user you attempting to access as? The error above seems to indicate that user is not a member of a role that has these capabilities granted. You would need to use useradmin to add the user to a role that has cli capabilities granted or create a custom role for the user with those capabilities granted.

Re: ssh as a domainuser to filer / rsa pubkey in cygwin

You probably misunderstand the problem. Real user (domain user) does have the required capabilities, but there does not appear to be any way to let SSH authenticate domain user using public key. I could not find any information in documentation or knowledge base.

If you try to login as domain user using full domain name, public key authentication does not work. If you try to strip domain part, you can use public key, but in this case NetApp apparently does not see this user as domain user (and does not grant capabilities).

Re: ssh as a domainuser to filer / rsa pubkey in cygwin

I tried this a few years ago but found that the only private key I could use was for "root". I didn't try any other local accounts as I was only interested in using my domain account or stay with root but it could be possible to use another local account. I am still interested to find out if this is possible to use a domain account with pub/priv key authentication. I would bet that another local account could use the authroized_keys for authentication but domain accounts can't due to the way it wants to use kerberos authentication and needs your password to do so. The secret key is good enough for the underlying BSD authentication module but not good enough to get a session ticket from a domain controller as the private key is not associated with active directory like your password.

Re: ssh as a domainuser to filer / rsa pubkey in cygwin

Yes, I came to the same conclusion as well. I guess the only way to enable passwordless login in this case would be Kerberos, but as far as I can tell it is not supported by NetApp for user authentication.

Re: ssh as a domainuser to filer / rsa pubkey in cygwin

I have been successful with using local account (as our site does not allow 'root' access), but I have not spent any time attempting to connect via my domain account.