X-Recipient: archive-cygwin AT delorie DOT com
X-Spam-Check-By: sourceware.org
Date: Tue, 27 Oct 2009 10:34:15 +0100
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: Cygwin/OpenSSH authentication without applying  group 	policies...
Message-ID: <20091027093415.GC2076@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <4147_1256634669_4AE6B92C_4147_496753_1_OFDA1DA6AB DOT 02EA5716-ONC125765C DOT 00325A60-C125765C DOT 003273B0 AT nbg DOT sdv DOT spb DOT de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4147_1256634669_4AE6B92C_4147_496753_1_OFDA1DA6AB.02EA5716-ONC125765C.00325A60-C125765C.003273B0@nbg.sdv.spb.de>
User-Agent: Mutt/1.5.17 (2007-11-01)
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On Oct 27 10:11, Carsten DOT Porzler AT spb DOT de wrote:
> > > LogonUser() really the right one, we use for the login procedure?
> > 
> > When using password authentication or pubkey with saved password, yes.
> > It's the one supported Win32 call to create a user token from user name
> > and password.  In contrast to a network share access, we need to create
> > an interactive token using the LOGON32_LOGON_INTERACTIVE logon type.
> > 
> But what's about the public key authentication without(!) a password? We 
> recognized, that there ist exactly the same amount of network traffic over 
> the ip-port 26

I guess you mean port 1026.  But, anyway, I'm glad to read that.  It
means that Cygwin does not create more traffic than the OS itself, when
it has to collect the information necessary to create a user token.

Apart from a lot of other, minor stuff, a user token consists of a list
of group SIDs and a list of user privileges.  Without this information
the token is useless.  Cygwin calls the appropriate functions to collect
this information (NetUserGetGroups, NetUserGetLocalGroups,
LsaEnumerateAccountRights).  The traffic created by these functions is
not under Cygwin's control.

> which means there is something going on with the group 
> policies, too. Although publickey authentication without a password is not 
> a real network logon.

It has to create a user token.  The job is practically the same as
what LogonUser has to do under the hood.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple