Mail Archives: cygwin/2000/06/19/14:22:53
<snip>
> ???
>
> > > However, trying to run ssh in "multiuser mode" spawned via
> > > inetd (added sshd -i to /etc/inetd.conf) results in refused
> > > authentication (most likely due to mucked up home directories).
> >
> > did you read the README?
>
> Yes, I've read the README. It just doesn't make sense.
> Why should RSA authentication work in a single-user
> configuration, but not in a multi-user one?
>
> If I turn on PasswordAuthentication, ssh does work
> correctly. That's not good for automation that
> works far better with null-phrased RSA keys.
AFAIK, you must use a password (the real, true, NT-authentication
plaintext password) to change the ownership of a process -- such as the
spawned sshd that handles a user session.
So, the master sshd can run under any user you like, and allow any user
to login -- as long as you give it the NT password so that it can spawn
the sub-sshd as the remote user. So password authentication works "just
like unix".
However, with RSA, you don't give the NT password, so the master sshd
cannot create a new process as the remote user -- the spawned sshd runs
as the same user as the master sshd.
There's only one way around this, AFAIK: store an encrypted database
with the NT passwords. Once RSA authentication is complete, look up the
user's encrypted NT password (and unencrypt to *plaintext*) and use that
to spawn the sub-sshd as the remote user. This is (a) fundamentally
insecure and (b) requires manual maintainance -- there is no way to
extract the plaintext password from the NT SAM, so the user will have to
encrypt/store the plaintext password manually -- and remember to update
the sshd password database when changing the NT SAM.
--Chuck
--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe AT sourceware DOT cygnus DOT com
- Raw text -