Mailing-List: contact cygwin-help AT sourceware DOT cygnus DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT sources DOT redhat DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT sources DOT redhat DOT com>
List-Help: <mailto:cygwin-help AT sources DOT redhat DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT sources DOT redhat DOT com
Delivered-To: mailing list cygwin AT sources DOT redhat DOT com
X-Originating-IP: [24.0.161.175]
From: "Karl M" <karlm30 AT hotmail DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: Initial patch to implement partial auth with SSH2
Date: Fri, 20 Apr 2001 07:32:39 -0700
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-ID: <F92vMSaQz8xckA1Qcaz00003fed@hotmail.com>
X-OriginalArrivalTime: 20 Apr 2001 14:32:39.0734 (UTC) FILETIME=[C079DD60:01C0C9A6]

Hi Corinna...

I was thinking...for the CygWin environment (on WinNT and Win2k) we could 
avoid the problem of where to place a new call to check_nt_auth and 
auth_password by requiring that if the ssh and sshd user-ids are different, 
that password authentication is required (which was the reason I was 
interested in this in the first place). I can do that for now by using

Authorder2 publickey:password

and commenting out the check in userauth_publickey.

Thanks,

...Karl


>From: Corinna Vinschen <vinschen AT redhat DOT com>
>To: cygwin AT cygwin DOT com, openssh-unix-dev AT mindrot DOT org
>Subject: Re: Initial patch to implement partial auth with SSH2
>Date: Fri, 20 Apr 2001 13:13:54 +0200
>
>On Fri, Apr 20, 2001 at 01:29:42AM -0700, Karl M wrote:
> > Hi All...
> >
> > I've been experimenting with the partial authorization patch for
> > OpenSSH-2.5.2. I'm using CygWin on a Windows 2000 (SP1) box.
> >
> > I noticed a bug in the patch that shows up for CygWin users. The problem 
>is
> > that publickey authentication only works if sshd is running with the 
>same
> > user-id as the ssh client. When I run sshd as a service with a user-id 
>of
> > LocalSystem publickey authentication fails.
> >
> > This is because the check_nt_auth call in userauth-pubkey fails if the 
>ssh
> > user-id is different from the sshd user-id.
> >
> > It looks to me like userauth_pubkey needs to "suspend disbelief" (and 
>not
> > call check_nt_auth and auth_password) for partial authentication, in the
> > hope that a password may come later. Then somewhere check_nt_auth
> > auth_password need to be called to make sure that we don't forget to set 
>the
> > sshd user-id to the ssh user-id.
>
>Since the original partial authorization patch isn't applied yet,
>you're somwhat on your own. Why don't you simply override the
>check in `check_ntsec' for now?
>
>Corinna
>
>--
>Corinna Vinschen
>Cygwin Developer
>Red Hat, Inc.
>mailto:vinschen AT redhat DOT com
>
>--
>Want to unsubscribe from this list?
>Check out: http://cygwin.com/ml/#unsubscribe-simple
>

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com


--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple