openssh on interix
Martin Koeppe
mkoeppe at gmx.de
Wed Nov 12 21:42:31 EST 2008
On Tue, 11 Nov 2008, Douglas E. Engert wrote:
>>> If the sshd could use the GSSAPI and delegated credentials, it might
>>> be possible to pass the Kerberos ticket into the LSA. This could give
>>> you single sign on.
>>> I believe with a registry setting, the Kerberos for Windows can do
>>> something like this. You might want to ask on the kerberos at mit.edu list
>>
>>> From within the interix environment the only way to contact the LSA is
>> over the built-in interix kerrnel functions like setuser(). Interix
>> programs don't have access to the Win32 API.
>
> But you did say that you wanted "newtwork access rights. i.e. no access
> to a network home dir". I took that to imply that the Intrex is using the
> underlying Windows file systems and that it uses the username and password
> via the setuser() to get Widows credentials. The other way to get credentials
> is to to pass in a Kerberos TGT, and I think Vista can allow this and KfW
> can use it. So Intrix should be able to do this too.
This would be a really good solution, but interix doesn't have any
alternative for setuser(). So Kerberos can't be used.
See here for more details:
http://www.suacommunity.com/forum/tm.aspx?high=&m=5046&mpage=1#15834
The poster Rodney is not an MS guy, but he wrote several core parts of
interix before MS bought it.
Corinna Vinschen wrote:
> This is all the same problem Cygwin's port to OpenSSH has.
> However, on Interix/SUA the user can store the password in the
> registry using the `regpwd' tool. I have no idea how the password
> is stored and how to access it from privileged Interix processes,
> though. Isn't there some documentation? Or is the password only
> accessible by daemons created by Microsoft's developers? Maybe you
> should try asking this on the MS newsgroup dedicated to SUA:
>
> microsoft.public.servicesforunix.general
The password is accessible from non-MS tools, too. Rodney has build an
(closed source) openssh which uses private keys and finally the regpwd
stored passwords.
But: I currently don't need fully passwordless logins. I would be
happy to login with password and automatically get network share
access, similar to when logging in to a windows box locally on the
glass. The only thing to be done for that is transferring the password
to permanently_set_uid() within sshd. (I tested this successfully with
a fixed password compiled into permanently_set_uid().) I think it
would be overkill to call regpwd in auth_passwd() and then retrieve
the password in permanently_set_uid() again. I would write a patch for
openssh for official inclusion, but I'm not familiar with the overall
design of openssh to know how to do it correctly. So any help there
would be appreciated.
Martin
More information about the openssh-unix-dev
mailing list