X-Recipient: archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status: No, hits=-1.4 required=5.0 	tests=AWL,BAYES_00
X-Spam-Check-By: sourceware.org
To: cygwin AT cygwin DOT com
MIME-Version: 1.0
Subject: Re: Cygwin/OpenSSH authentication without applying 	group policies...
X-KeepSent: DA1DA6AB:02EA5716-C125765C:00325A60;  type=4; name=$KeepSent
Message-ID: <4147_1256634669_4AE6B92C_4147_496753_1_OFDA1DA6AB.02EA5716-ONC125765C.00325A60-C125765C.003273B0@nbg.sdv.spb.de>
From: Carsten DOT Porzler AT spb DOT de
Date: Tue, 27 Oct 2009 10:11:06 +0100
X-SafeGuard_MailGateway: Version: 5.60.3.9732 SGMG Date: 20091027091108Z
Content-Type: text/plain; charset="US-ASCII"
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

> On Oct 26 16:01, Carsten DOT Porzler AT spb DOT de wrote:
> > Hello,
> > 
> > >   With password
> > > authentication it's entirely up to the Win32 call LogonUser() to 
create
> > > that token and to manage that connection.  Using pubkey 
authentication
> > > you have three choices described in the user's guide.  Maybe one of 
them
> > > helps, see
> > > http://cygwin.com/1.7/cygwin-ug-net/ntsec.html#ntsec-setuid-overview
> > > 
> > > 
> > My decripted problem occurs with password and public key (without 
saved 
> > password) authentication.
> > 
> > I just asked the question because we see during network tracing that 
the 
> > group policies are transferred to the client.
> > 
> > Other logon processes (e.g. mounting a network drive with another user 

> > than the logged on one) do not transfer the group policies. Is the 
call 
> 
> I assume they don't have to since they only need the network credentials
> and policies are perhaps checked on the server.  It looks like the
> underlying code uses something along the lines of
> LOGON32_LOGON_NEW_CREDENTIALS in a call to LoginUser.
> 
> But that's just a guess.  I don't know what's exactly going on under the
> hood.
> 
> > LogonUser() really the right one, we use for the login procedure?
> 
> When using password authentication or pubkey with saved password, yes.
> It's the one supported Win32 call to create a user token from user name
> and password.  In contrast to a network share access, we need to create
> an interactive token using the LOGON32_LOGON_INTERACTIVE logon type.
> 
But what's about the public key authentication without(!) a password? We 
recognized, that there ist exactly the same amount of network traffic over 
the ip-port 26, which means there is something going on with the group 
policies, too. Although publickey authentication without a password is not 
a real network logon.

Thanks for further informations or some ideas how to handle that.

Best regards

Carsten Porzler


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple