Mailing-List: contact cygwin-help AT sourceware DOT cygnus DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT sources DOT redhat DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT sources DOT redhat DOT com>
List-Help: <mailto:cygwin-help AT sources DOT redhat DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT sources DOT redhat DOT com
Delivered-To: mailing list cygwin AT sources DOT redhat DOT com
From: Corinna Vinschen <corinna AT redhat DOT com>
Date: Sat, 16 Dec 2000 16:35:33 +0100
X-Mailer: KMail [version 1.1.99]
Content-Type: text/plain;
  charset="us-ascii"
To: cygwin AT cygwin DOT com
References: <OF419CE423 DOT CDD53CCF-ON862569B5 DOT 0078EEC1 AT deluxe DOT com>
In-Reply-To: <OF419CE423.CDD53CCF-ON862569B5.0078EEC1@deluxe.com>
Subject: Re: Problem with sshd on WindMill
MIME-Version: 1.0
Message-Id: <00121616353305.00473@cygbert>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by delorie.com id KAA13082

On Thursday 14 December 2000 23:34, Rob_Hannah AT deluxe DOT com wrote:
> One note to an earlier response when I didn't have the user specified
> in the /etc/passwd file (something like 'Sounds like a security
> hole').  How is it a security hole?  In order to get access to the
> sshd box, I have to send my public key file to that box and have the
> owner (in this case me) add it to the ~/.ssh/authorized_keys file. 
> Another difference is in password lengths.  Std Unix is 8 bytes.  I
> use a 24-byte passphrase for my RSA and DSA keys...

This isn't related to RSA/DSA encryption or passphrases vs passwords.
A simple question: How shall sshd recognize where the home directory
of the user is which just tries to logon to find the ~/.ssh directory?
The only chance is a correct entry in /etc/passwd with a correct home
directory set up.

The security hole: Which user is logging in to the system if the
user is unknown by the system? An unknown user should always and
under all circumstances be refused by sshd.

> Also, under Windows Millenium (i.e., any non-NT+), how are users
> obtained by mkpasswd in the generation of the /etc/passwd file?  If
> it just uses the current user, then I lose my changes every time I
> run the Cygwin setup.exe as it auto-executes mkpasswd whenever I run
> it.

9x systems doesn't have a real concept of different users. As a
result the output of mkpasswd is sort of faked. The only information
is the name of the current user stored by the system and retrieved by
the win32 call GetUserName(). So `mkpasswd' is behaving correctly
from my point of view. You can claim that `setup' shouldn't call
`mkpasswd' if /etc/passwd already exists (equiv. for `mkgroup').

> Note: below is reposted as I think I sent it to the wrong address
> earlier...

The address was ok as you should have noted by receiving your mail
(and my answer) from the mailing list server. However, I asked for
the output of ssh -v and sshd -d when logging in with an existing user
which could contain more appropriate info.

Corinna

-- 
Corinna Vinschen
Cygwin Developer
Red Hat, Inc.
mailto:vinschen AT redhat DOT com

--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe AT sourceware DOT cygnus DOT com