Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Date: Fri, 14 Jun 2002 07:17:25 -0400
From: Jason Tishler <jason AT tishler DOT net>
Subject: Re: OpenSSH key auth causes invalid logon
In-reply-to: <20020614101327.B30892@cygbert.vinschen.de>
To: cygwin AT cygwin DOT com
Mail-followup-to: cygwin AT cygwin DOT com
Message-id: <20020614111724.GB2136@tishler.net>
MIME-version: 1.0
Content-type: text/plain; charset=us-ascii
Content-transfer-encoding: 7BIT
Content-disposition: inline
User-Agent: Mutt/1.4i
References: <911C684A29ACD311921800508B7293BA037D30CC AT cnmail>
 <20020614101327 DOT B30892 AT cygbert DOT vinschen DOT de>

On Fri, Jun 14, 2002 at 10:13:27AM +0200, Corinna Vinschen wrote:
> On Thu, Jun 13, 2002 at 05:48:17PM -0400, Mark Bradshaw wrote:
> > I've noticed that OpenSSH, when doing key authentication, caused
> > an invalid logon.  If enough instances occurred the account being
> > logged into was locked.
> [snip]
> No, I can't.  OTOH, I don't quite understand what you mean by
> "invalid logon".  When using pubkey authentication under Cygwin,
> Windows doesn't get any logon attempt.  The logon is done by
> creating a handcrafted user token so I wonder what you mean
> by "the account was locked".
> [snip]

We are also plagued by this problem.  One of our CVS servers is running
NT -- please don't ask why. :,)  Before I joined the company, everyone
was accessing the CVS repository using "local" access via CIFS -- again
please don't ask why. :,)  This access method was causing all kinds
of performance, permission, and locking problems.  So, I recommended
setting up Cygwin OpenSSH on this server to solve these problems.

Although using ssh solved the above problems, we noticed that people
started to get locked out of their NT accounts -- they couldn't login,
access email, map shares, etc.  We traced the problem down to the
combination of using ssh *and* that we had a three invalid logons will
lock the account policy.

Unfortunately, because of the above problem most people are still using
"local" access even when remote.  This causes CVS operations to typically
run 10 - 20 times slower than when using client/server mode.  Sigh...

> [snip]
> On NT, the PermitEmptyPassword test in auth_password() is disabled.
> That's obviously incorrect.  I've no idea how long that code is
> already in OpenSSH.  Perhaps the core team changed that code
> slightly at one point and I didn't get that.  I'll propose the
> change to eliminate the special handling for NT.  This allows
> empty passwords only if PermitEmptyPassword is "yes" also on NT.
> That should solve your "none" problem as well.

Corrina, thanks for the above.

> Thanks for the report,

Mark, thanks for tracking down this problem.

Jason

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/