openssh on interix

Corinna Vinschen vinschen at
Fri Nov 28 20:51:21 EST 2008

On Nov 23 02:39, Martin Koeppe wrote:
> On Wed, 12 Nov 2008, Martin Koeppe wrote:
> > Corinna Vinschen wrote:
> >> This is all the same problem Cygwin's port to OpenSSH has. However, on 
> >> Interix/SUA the user can store the password in the registry using the 
> >> `regpwd' tool.  I have no idea how the password is stored and how to access 
> >> it from privileged Interix processes, though.  
> >> [...]
> The regpwd stored passwords are stored in the same (Windows standard) 
> way as e.g. Dial-in passwords or service account passwords are stored, 
> i.e. under:
> HKLM\Security\Policy\Secrets\

Thanks for the hint.  I'm embarrassed that I never before realized how
to use this functionality even though I read the LSA man pages a lot.

I now implemented this for Cygwin.  The next major version 1.7.0 will
come with a `passwd -R' option which is what `regpwd' does on Interix.

Cygwin's set(e)uid call now additionally tests for an existing encrypted
password in the above registry area and uses it if available.  The order
of authentication methods used in set(e)uid is now as follows (for those
interested in stuff like that):

  - Did the user logon with password and is the token available?

    -> use available token to switch user context

  - If not, did the user store the password in the aforementioned LSA 
    registry area?

    -> use that password to logon with password authentication under
       the hood and use resulting token if successful

  - If not, is the Cygwin-specifc LSA authentication package installed?

    -> Use Cygwin LSA authentication to create user token and use that

  - If not, has the current privileged user the right to create
    handcrafted user tokens immediately?

    -> If yes, collect all user information and call NtCreateToken.
       Use that token to switch user context.



Corinna Vinschen
Cygwin Project Co-Leader
Red Hat

More information about the openssh-unix-dev mailing list