Mailing-List: contact cygwin-help AT sourceware DOT cygnus DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT sourceware DOT cygnus DOT com>
List-Archive: <http://sourceware.cygnus.com/ml/cygwin/>
List-Post: <mailto:cygwin AT sourceware DOT cygnus DOT com>
List-Help: <mailto:cygwin-help AT sourceware DOT cygnus DOT com>, <http://sourceware.cygnus.com/ml/#faqs>
Sender: cygwin-owner AT sourceware DOT cygnus DOT com
Delivered-To: mailing list cygwin AT sourceware DOT cygnus DOT com
Message-ID: <394E5871.9A06B8E3@ece.gatech.edu>
Date: Mon, 19 Jun 2000 13:29:21 -0400
From: "Charles S. Wilson" <cwilson AT ece DOT gatech DOT edu>
X-Mailer: Mozilla 4.7 [en] (WinNT; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Ian Blenke <icblenke AT 2c2 DOT com>
CC: "'cygwin'" <cygwin AT sourceware DOT cygnus DOT com>
Subject: Re: OpenSSH 2.1 to Windows2000
References: <ED90508D11B4D3119D4700204840658601262560 AT CICERO2>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit


<snip>

> ???
> 
> > > However, trying to run ssh in "multiuser mode" spawned via
> > > inetd (added sshd -i to /etc/inetd.conf) results in refused
> > > authentication (most likely due to mucked up home directories).
> >
> > did you read the README?
> 
> Yes, I've read the README. It just doesn't make sense.
> Why should RSA authentication work in a single-user
> configuration, but not in a multi-user one?
> 
> If I turn on PasswordAuthentication, ssh does work
> correctly. That's not good for automation that
> works far better with null-phrased RSA keys.

AFAIK, you must use a password (the real, true, NT-authentication
plaintext password) to change the ownership of a process -- such as the
spawned sshd that  handles a user session.

So, the master sshd can run under any user you like, and allow any user
to login -- as long as you give it the NT password so that it can spawn
the sub-sshd as the remote user. So password authentication works "just
like unix".

However, with RSA, you don't give the NT password, so the master sshd
cannot create a new process as the remote user -- the spawned sshd runs
as the same user as the master sshd.

There's only one way around this, AFAIK: store an encrypted database
with the NT passwords. Once RSA authentication is complete, look up the
user's encrypted NT password (and unencrypt to *plaintext*) and use that
to spawn the sub-sshd as the remote user. This is (a) fundamentally
insecure and (b) requires manual maintainance -- there is no way to
extract the plaintext password from the NT SAM, so the user will have to
encrypt/store the plaintext password manually -- and remember to update
the sshd password database when changing the NT SAM.

--Chuck

--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe AT sourceware DOT cygnus DOT com