Openssh for Windows
Harald Dunkel
harald.dunkel at aixigo.de
Tue Jul 29 19:02:40 EST 2008
Corinna Vinschen wrote:
>
> You can use password-less authentication and Cygwin will create
> a user token for your user. This user token has no credentials for
> network access because you only get that when using password
> authentication. The result is that you only get your remote home dir
> after logging in by using `net use share /user:domain\user password',
> thus explicitely authenticating against the sharing server.
>
If I got you correctly then this means that Cygwin's sshd doesn't
have permission to access my .ssh for authentication, if it is on
a remote disk. Doesn't this mean that pubkey simply doesn't work
in this case?
> The method Interix uses is to store a copy of the user's password in the
> registry in a two-way encrypted fashion, which is then used whenever
> Interix needs to impersonate a user. That means, the pubkey
> authentication is used in OpenSSH, but the actual authentication against
> the OS is using password authentication. The result is that you get a
> user token which includes the network credentials to access your home
> dir automatically.
>
> The advantage of the Interix method is that the user token is a password
> authenticated token with network credentials. The downside is that
> there's a two-way encrypted copy of your password somewhere in an
> undocumented place in the registry, using an undocumented two-way
> encryption.
>
I am surely not an advocate for Windows, but the Unix procedure is
pretty rude, too: sshd is running with root permission. Since the
NFS partition containing my $HOME might be mounted without giving
root the right to read all files it likes (no_root_squash), sshd has
to break into my account (via seteuid(1), I would guess) to read my
.ssh directory.
In other words, sshd on Unix doesn't need an encrypted copy of my
password to generate some network credentials (as Interix' sshd
does). It bypasses all security means by brute force.
I can live with both. But I have to say that Cygwin's sshd doesn't
match my needs.
Regards
Harri
More information about the openssh-unix-dev
mailing list