Mailing-List: contact cygwin-help AT sourceware DOT cygnus DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT sourceware DOT cygnus DOT com>
List-Archive: <http://sourceware.cygnus.com/ml/cygwin/>
List-Post: <mailto:cygwin AT sourceware DOT cygnus DOT com>
List-Help: <mailto:cygwin-help AT sourceware DOT cygnus DOT com>, <http://sourceware.cygnus.com/ml/#faqs>
Sender: cygwin-owner AT sourceware DOT cygnus DOT com
Delivered-To: mailing list cygwin AT sourceware DOT cygnus DOT com
Message-ID: <394E61C5.7F85E8E8@vinschen.de>
Date: Mon, 19 Jun 2000 20:09:09 +0200
From: Corinna Vinschen <corinna AT vinschen DOT de>
Reply-To: cygwin <cygwin AT sourceware DOT cygnus DOT com>
X-Mailer: Mozilla 4.73 [en] (X11; I; Linux 2.2.14 i686)
X-Accept-Language: de, en
MIME-Version: 1.0
To: "Charles S. Wilson" <cwilson AT ece DOT gatech DOT edu>
CC: Ian Blenke <icblenke AT 2c2 DOT com>, "'cygwin'" <cygwin AT sourceware DOT cygnus DOT com>
Subject: Re: OpenSSH 2.1 to Windows2000
References: <ED90508D11B4D3119D4700204840658601262560 AT CICERO2> <394E5871 DOT 9A06B8E3 AT ece DOT gatech DOT edu>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Perfect description, Chuck!

Thanks,
Corinna

"Charles S. Wilson" wrote:
> 
> <snip>
> 
> > ???
> >
> > > > However, trying to run ssh in "multiuser mode" spawned via
> > > > inetd (added sshd -i to /etc/inetd.conf) results in refused
> > > > authentication (most likely due to mucked up home directories).
> > >
> > > did you read the README?
> >
> > Yes, I've read the README. It just doesn't make sense.
> > Why should RSA authentication work in a single-user
> > configuration, but not in a multi-user one?
> >
> > If I turn on PasswordAuthentication, ssh does work
> > correctly. That's not good for automation that
> > works far better with null-phrased RSA keys.
> 
> AFAIK, you must use a password (the real, true, NT-authentication
> plaintext password) to change the ownership of a process -- such as the
> spawned sshd that  handles a user session.
> 
> So, the master sshd can run under any user you like, and allow any user
> to login -- as long as you give it the NT password so that it can spawn
> the sub-sshd as the remote user. So password authentication works "just
> like unix".
> 
> However, with RSA, you don't give the NT password, so the master sshd
> cannot create a new process as the remote user -- the spawned sshd runs
> as the same user as the master sshd.
> 
> There's only one way around this, AFAIK: store an encrypted database
> with the NT passwords. Once RSA authentication is complete, look up the
> user's encrypted NT password (and unencrypt to *plaintext*) and use that
> to spawn the sub-sshd as the remote user. This is (a) fundamentally
> insecure and (b) requires manual maintainance -- there is no way to
> extract the plaintext password from the NT SAM, so the user will have to
> encrypt/store the plaintext password manually -- and remember to update
> the sshd password database when changing the NT SAM.
> 
> --Chuck
> 
> --
> Want to unsubscribe from this list?
> Send a message to cygwin-unsubscribe AT sourceware DOT cygnus DOT com

-- 
Corinna Vinschen
Cygwin Developer
Cygnus Solutions, a Red Hat company

--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe AT sourceware DOT cygnus DOT com