Mailing-List: contact cygwin-developers-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-developers-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin-developers/>
List-Post: <mailto:cygwin-developers AT cygwin DOT com>
List-Help: <mailto:cygwin-developers-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-developers-owner AT cygwin DOT com
Delivered-To: mailing list cygwin-developers AT cygwin DOT com
From: "Hartmut Honisch" <hartmut_honisch AT web DOT de>
To: <cygwin-developers AT cygwin DOT com>
Subject: RE: Subauthentication
Date: Sat, 14 Dec 2002 00:12:01 +0100
Message-ID: <NFBBLLCAILKHOEOHEFMHEEAMCEAA.hartmut_honisch@web.de>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
Importance: Normal
In-Reply-To: <3DF9FF0E.6C0400DC@ieee.org>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106

> I have one concern: does subauthentication require access
> to the PDC for domain users?

Yes. The subauthentication dll would have to be installed on a domain
controller. I suppose that's almost never
going to be the case. So it's only going to work for local users.

> I would prefer keeping it that way, thus possibly skipping the
> call to subauth when setgroups has been called (ftpd, telnetd,
> sshd do not call setgroups, AFAIK). It is also unlikely that
> the token created by subauth would match the groups specified
> by setgroups.

Couldn't we just always call subauth and just check if it was successful?
That way, a user could install the cygwin subauthentication module on
whatever machine he needs to.
If subauth is successful, we let verify_token decide whether to use the
subauth token or to call create_token, but at least have create_token use
the subauth token's logon session id.

Like in the following algorithm:

// Always call subauthentication. If a subauth dll is installed (either
locally or on the PDC),
// it will succeed. Otherwise, it will fail

SubauthToken = CallSubauthentication(...);

// Check if subauthentication was successful
if(IsValidToken(SubauthToken))
{
  if(verify_token(SubauthToken))
    // Use subauthentication token
    NewToken = SubauthToken
  else
    // Call NtCreateToken, but use SubauthToken's logon session id
    NewToken = create_token(SubauthToken.LogonSessionId, ...);
}
else
{
    // Call NtCreateToken and use current logon session id
    NewToken = create_token(CurrentLogonSessionId, ...);
}


Hartmut