Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Date: Fri, 14 Jun 2002 10:13:27 +0200
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: "'cygwin AT cygwin DOT com'" <cygwin AT cygwin DOT com>
Subject: Re: OpenSSH key auth causes invalid logon
Message-ID: <20020614101327.B30892@cygbert.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: "'cygwin AT cygwin DOT com'" <cygwin AT cygwin DOT com>
References: <911C684A29ACD311921800508B7293BA037D30CC AT cnmail>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <911C684A29ACD311921800508B7293BA037D30CC@cnmail>
User-Agent: Mutt/1.3.22.1i

On Thu, Jun 13, 2002 at 05:48:17PM -0400, Mark Bradshaw wrote:
> Corinna,
> 
> I've noticed that OpenSSH, when doing key authentication, caused an invalid
> logon.  If enough instances occurred the account being logged into was
> locked.  This didn't usually happen when just logging in, but was more
> common when scripting events.  Of course it's pretty common to use key auth
> when scripting remote calls.
> 
> While digging I found that this invalid login occurs when OpenSSH tries the
> "none" authentication method.  When I modified the code to just return 0 on
> a none attempt the invalid login went away.  I can't think of a valid time
> when "none" should work on a windows box.  Disabling it doesn't affect key
> or password auth.  Can you think of any adverse effect to disabling "none"
> under Cygwin?

No, I can't.  OTOH, I don't quite understand what you mean by
"invalid logon".  When using pubkey authentication under Cygwin,
Windows doesn't get any logon attempt.  The logon is done by
creating a handcrafted user token so I wonder what you mean
by "the account was locked".  Do you mean in the SAM?  And I'm
also wondering what the auth method has to do with it.  The
auth method has a meaning only in ssh.  There's just one exception,
the password authentication which is actually implemented by
calling LogonUser() at one point.  So the only situation I could
think of currently is when the auth method none accidentally(?)
branches into the password authentication code inside of sshd.

Hang on.

*dig, dig*

Ok, auth methode "none" is actually implemented by calling
auth_password().  Thinking about that, it makes sense.  And it's
not invalid to enable that on Cygwin since it's a possible and
legel case on 9x/Me systems.  I think I see what the problem is.
On NT, the PermitEmptyPassword test in auth_password() is disabled.
That's obviously incorrect.  I've no idea how long that code is
already in OpenSSH.  Perhaps the core team changed that code
slightly at one point and I didn't get that.  I'll propose the
change to eliminate the special handling for NT.  This allows
empty passwords only if PermitEmptyPassword is "yes" also on NT.
That should solve your "none" problem as well.

Thanks for the report,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin AT cygwin DOT com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/