openssh on interix
mkoeppe at gmx.de
Sun Nov 30 23:21:31 EST 2008
On 2008-11-28, Corinna Vinschen wrote:
> On Nov 23 02:39, Martin Koeppe wrote:
>> On Wed, 12 Nov 2008, Martin Koeppe wrote:
>>> Corinna Vinschen wrote:
>>>> This is all the same problem Cygwin's port to OpenSSH has.
>>>> However, on Interix/SUA the user can store the password in the
>>>> registry using the `regpwd' tool. I have no idea how the
>>>> password is stored and how to access it from privileged Interix
>>>> processes, though. [...]
>> The regpwd stored passwords are stored in the same (Windows
>> standard) way as e.g. Dial-in passwords or service account
>> passwords are stored, i.e. under:
> Thanks for the hint. I'm embarrassed that I never before realized
> how to use this functionality even though I read the LSA man pages a
> I now implemented this for Cygwin. The next major version 1.7.0 will
> come with a `passwd -R' option which is what `regpwd' does on Interix.
Will `passwd -R' and `regpwd' be comnpatible, i.e. store the password
unter the same reg value, so that I could use `passwd -R' on cygwin to
store the password and then use it from interix daemons or vice versa?
regpwd uses this format:
where DOMAIN is the PC name (=local domain) or the NETBIOS domain
The password itself is converted to Unicode (UCS-2LE) before being
If cygwin used this format, too, users had to maintain only one entry.
> Cygwin's set(e)uid call now additionally tests for an existing encrypted
> password in the above registry area and uses it if available. The order
> of authentication methods used in set(e)uid is now as follows (for those
> interested in stuff like that):
> - Did the user logon with password and is the token available?
> -> use available token to switch user context
> - If not, did the user store the password in the aforementioned LSA
> registry area?
> -> use that password to logon with password authentication under
> the hood and use resulting token if successful
> - If not, is the Cygwin-specifc LSA authentication package installed?
> -> Use Cygwin LSA authentication to create user token and use that
> - If not, has the current privileged user the right to create
> handcrafted user tokens immediately?
> -> If yes, collect all user information and call NtCreateToken.
> Use that token to switch user context.
> - EPERM
More information about the openssh-unix-dev