Mailing-List: contact cygwin-help@sourceware.cygnus.com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@sources.redhat.com Delivered-To: mailing list cygwin@sources.redhat.com Date: Fri, 20 Apr 2001 13:13:54 +0200 From: Corinna Vinschen To: cygwin@cygwin.com, openssh-unix-dev@mindrot.org Subject: Re: Initial patch to implement partial auth with SSH2 Message-ID: <20010420131354.Y12557@cygbert.vinschen.de> Mail-Followup-To: cygwin@cygwin.com, openssh-unix-dev@mindrot.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from karlm30@hotmail.com on Fri, Apr 20, 2001 at 01:29:42AM -0700 On Fri, Apr 20, 2001 at 01:29:42AM -0700, Karl M wrote: > Hi All... > > I've been experimenting with the partial authorization patch for > OpenSSH-2.5.2. I'm using CygWin on a Windows 2000 (SP1) box. > > I noticed a bug in the patch that shows up for CygWin users. The problem is > that publickey authentication only works if sshd is running with the same > user-id as the ssh client. When I run sshd as a service with a user-id of > LocalSystem publickey authentication fails. > > This is because the check_nt_auth call in userauth-pubkey fails if the ssh > user-id is different from the sshd user-id. > > It looks to me like userauth_pubkey needs to "suspend disbelief" (and not > call check_nt_auth and auth_password) for partial authentication, in the > hope that a password may come later. Then somewhere check_nt_auth > auth_password need to be called to make sure that we don't forget to set the > sshd user-id to the ssh user-id. Since the original partial authorization patch isn't applied yet, you're somwhat on your own. Why don't you simply override the check in `check_ntsec' for now? Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen@redhat.com -- Want to unsubscribe from this list? Check out: http://cygwin.com/ml/#unsubscribe-simple