openssh on interix

Martin Koeppe mkoeppe at gmx.de
Sun Nov 30 23:21:31 EST 2008


On 2008-11-28, Corinna Vinschen wrote:
> On Nov 23 02:39, Martin Koeppe wrote:
>> On Wed, 12 Nov 2008, Martin Koeppe wrote:
>>> Corinna Vinschen wrote:
>>>> This is all the same problem Cygwin's port to OpenSSH has. 
>>>> However, on Interix/SUA the user can store the password in the 
>>>> registry using the `regpwd' tool.  I have no idea how the 
>>>> password is stored and how to access it from privileged Interix 
>>>> processes, though. [...]
>> The regpwd stored passwords are stored in the same (Windows 
>> standard) way as e.g. Dial-in passwords or service account 
>> passwords are stored, i.e. under:
>>
>> HKLM\Security\Policy\Secrets\
>
> Thanks for the hint.  I'm embarrassed that I never before realized 
> how to use this functionality even though I read the LSA man pages a 
> lot.
>
> I now implemented this for Cygwin.  The next major version 1.7.0 will
> come with a `passwd -R' option which is what `regpwd' does on Interix.

Will `passwd -R' and `regpwd' be comnpatible, i.e. store the password 
unter the same reg value, so that I could use `passwd -R' on cygwin to 
store the password and then use it from interix daemons or vice versa?

regpwd uses this format:
HKLM\Security\Policy\Secrets\DOMAIN_USERNAME_microsoft_sfu_utility
where DOMAIN is the PC name (=local domain) or the NETBIOS domain 
name.
The password itself is converted to Unicode (UCS-2LE) before being 
stored.

If cygwin used this format, too, users had to maintain only one entry.

Martin


> Cygwin's set(e)uid call now additionally tests for an existing encrypted
> password in the above registry area and uses it if available.  The order
> of authentication methods used in set(e)uid is now as follows (for those
> interested in stuff like that):
>
>  - Did the user logon with password and is the token available?
>
>    -> use available token to switch user context
>
>  - If not, did the user store the password in the aforementioned LSA
>    registry area?
>
>    -> use that password to logon with password authentication under
>       the hood and use resulting token if successful
>
>  - If not, is the Cygwin-specifc LSA authentication package installed?
>
>    -> Use Cygwin LSA authentication to create user token and use that
>       token
>
>  - If not, has the current privileged user the right to create
>    handcrafted user tokens immediately?
>
>    -> If yes, collect all user information and call NtCreateToken.
>       Use that token to switch user context.
>
>  - EPERM
>
>
>
> Corinna


More information about the openssh-unix-dev mailing list