This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Antwort: Re: Cygwin/OpenSSH authentication without applying group policies...


> On Oct 21 08:39, wrote:
> > Dear Cygwin community,
> > 
> > we are just having problems with some locations connect over WAN lines 

> > with only little bandwith.
> > 
> > The logon process against a Win2003 AD domain controller takes much 
> > (>50s). After some analysis we found out that there is much traffic 
> > between the SSH server and the domain controller over ip port 1026 
> > used for applying/downloading the Win2003 group policies).
> > 
> > During a SSH logon it is not necessary to apply all group policies. 
> > Instead it would be OK, if the user would just be authenticated and 
> > his group memberships.
> That's not correct, unfortunately.  To construct a user token you must
> know what user rights the user has since they are part of the token.
> Cygwin itself does not ask for group policies and that stuff, it really
> only requests information about the user rights of the user logging in.
> Cygwin has no control about the information flow underneath the Win32
> functions used to request this information.  A couple of months ago we
> already had a discussion on this list about the login process being
> slow.  The reason was an unnecessary loop asking for group membership,
> but that should be fixed for a long time.

That correct in principle, what you say. The problem with the loops was 
solved some months ago.

> > Is it possible to deactivate applying the group policies during the 
> > logon process or to reconfigure the SSH service so that we can use 
> > authentication instead of standard Win2003 authentication.
> First of all, we can't support LDAP directly from ssh since that doesn't
> allow us to create a user token.  What exactly is done depends on the
> method used for creating the token.  You didn't tell us if you're using
> password authentication or pubkey authentication.  With password
> authentication it's entirely up to the Win32 call LogonUser() to create
> that token and to manage that connection.  Using pubkey authentication
> you have three choices described in the user's guide.  Maybe one of them
> helps, see
My decripted problem occurs with password and public key (without saved 
password) authentication.

I just asked the question because we see during network tracing that the 
group policies are transferred to the client.

Other logon processes (e.g. mounting a network drive with another user 
than the logged on one) do not transfer the group policies. Is the call 
LogonUser() really the right one, we use for the login procedure?

Thanks in advance and

best regards

Carsten Porzler

Problem reports:
Unsubscribe info:

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]