delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin/2005/01/11/15:26:07

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Date: Tue, 11 Jan 2005 15:25:46 -0500 (EST)
From: Igor Pechtchanski <pechtcha AT cs DOT nyu DOT edu>
Reply-To: cygwin AT cygwin DOT com
To: Harald Dunkel <harald DOT dunkel AT t-online DOT de>
cc: cygwin AT cygwin DOT com
Subject: Re: cannot access $HOME (on Samba) via ssh
In-Reply-To: <41E42508.3020400@t-online.de>
Message-ID: <Pine.GSO.4.61.0501111507530.15512@slinky.cs.nyu.edu>
References: <41E42508 DOT 3020400 AT t-online DOT de>
MIME-Version: 1.0

On Tue, 11 Jan 2005, Harald Dunkel wrote:

> Igor Pechtchanski wrote:
> | <http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-switch>, second
> | paragraph.
> | HTH,
> | 	Igor
>
> Sorry, but this does not help.
>
> If I got this right, then you assume that either sshd or the login
> process started by sshd are running as SYSTEM, and the bash started
> later inherits the restricted network access somehow, making an
> access to shares which require an authentication impossible.

Yes, I'm assuming both of those things.  If sshd runs as any user but
SYSTEM (unless that user also has SYSTEM's capabilities as described in
the above link, in which case it might as well be SYSTEM), then no other
user will be able to log in using that sshd instance.  And yes, bash
started from sshd does inherit the authentication token, which is used to
attempt to authenticate with network shares.

I believe you missed the fact that the above link talks about
*passwordless* authentication.  The authentication token constructed by
sshd won't contain the password, and therefore cannot be used to access
network shares that require authentication.  This is a Windows limitation,
and Cygwin can't do anything about it.

> :-(
>
> Please note that ssh and rsh are typical applications of users used
> to work on remote machines in a LAN. If you take away the network
> access to their home directory and all other shares, then this is a
> very severe restriction. And making a network share accessible
> without any authentication is usually not an option, either.
>
> Not a good deal.

Authenticating using the user's password will not restrict the access.
An alternative is to change the authentication mechanism for the shares.
FWIW, the same problem exists with Unix filesystems that require
authentication, notably DFS.
	Igor
-- 
				http://cs.nyu.edu/~pechtcha/
      |\      _,,,---,,_		pechtcha AT cs DOT nyu DOT edu
ZZZzz /,`.-'`'    -.  ;-;;,_		igor AT watson DOT ibm DOT com
     |,4-  ) )-,_. ,\ (  `'-'		Igor Pechtchanski, Ph.D.
    '---''(_/--'  `-'\_) fL	a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!

"The Sun will pass between the Earth and the Moon tonight for a total
Lunar eclipse..." -- WCBS Radio Newsbrief, Oct 27 2004, 12:01 pm EDT

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019