openssh on interix

Martin Koeppe mkoeppe at
Wed Nov 12 21:42:31 EST 2008

On Tue, 11 Nov 2008, Douglas E. Engert wrote:

>>> If the sshd could use the GSSAPI and delegated credentials, it might
>>> be possible to pass the Kerberos ticket into the LSA.  This could give
>>> you single sign on.
>>> I believe with a registry setting, the Kerberos for Windows can do
>>> something like this. You might want to ask on the kerberos at list
>>> From within the interix environment the only way to contact the LSA is 
>> over the built-in interix kerrnel functions like setuser(). Interix 
>> programs don't have access to the Win32 API.
> But you did say that you wanted "newtwork access rights. i.e. no access
> to a network home dir". I took that to imply that the Intrex is using the
> underlying Windows file systems and that it uses the username and password
> via the setuser() to get Widows credentials. The other way to get credentials
> is to to pass in a Kerberos TGT, and I think Vista can allow this and KfW
> can use it. So Intrix should be able to do this too.

This would be a really good solution, but interix doesn't have any 
alternative for setuser(). So Kerberos can't be used.
See here for more details:
The poster Rodney is not an MS guy, but he wrote several core parts of 
interix before MS bought it.

Corinna Vinschen wrote:

> This is all the same problem Cygwin's port to OpenSSH has. 
> However, on Interix/SUA the user can store the password in the 
> registry using the `regpwd' tool.  I have no idea how the password 
> is stored and how to access it from privileged Interix processes, 
> though.  Isn't there some documentation?  Or is the password only 
> accessible by daemons created by Microsoft's developers?  Maybe you 
> should try asking this on the MS newsgroup dedicated to SUA:
>   microsoft.public.servicesforunix.general

The password is accessible from non-MS tools, too. Rodney has build an 
(closed source) openssh which uses private keys and finally the regpwd 
stored passwords.

But: I currently don't need fully passwordless logins. I would be 
happy to login with password and automatically get network share 
access, similar to when logging in to a windows box locally on the 
glass. The only thing to be done for that is transferring the password 
to permanently_set_uid() within sshd. (I tested this successfully with 
a fixed password compiled into permanently_set_uid().) I think it 
would be overkill to call regpwd in auth_passwd() and then retrieve 
the password in permanently_set_uid() again. I would write a patch for 
openssh for official inclusion, but I'm not familiar with the overall 
design of openssh to know how to do it correctly. So any help there 
would be appreciated.


More information about the openssh-unix-dev mailing list