This is the mail archive of the
mailing list for the Cygwin project.
Re: Cygwin/OpenSSH authentication without applying group policies...
- From: Carsten dot Porzler at spb dot de
- To: cygwin at cygwin dot com
- Date: Tue, 27 Oct 2009 10:11:06 +0100
- Subject: Re: Cygwin/OpenSSH authentication without applying group policies...
> On Oct 26 16:01, Carsten.Porzler@spb.de wrote:
> > Hello,
> > > With password
> > > authentication it's entirely up to the Win32 call LogonUser() to
> > > that token and to manage that connection. Using pubkey
> > > you have three choices described in the user's guide. Maybe one of
> > > helps, see
> > > http://cygwin.com/1.7/cygwin-ug-net/ntsec.html#ntsec-setuid-overview
> > >
> > >
> > My decripted problem occurs with password and public key (without
> > password) authentication.
> > I just asked the question because we see during network tracing that
> > group policies are transferred to the client.
> > Other logon processes (e.g. mounting a network drive with another user
> > than the logged on one) do not transfer the group policies. Is the
> I assume they don't have to since they only need the network credentials
> and policies are perhaps checked on the server. It looks like the
> underlying code uses something along the lines of
> LOGON32_LOGON_NEW_CREDENTIALS in a call to LoginUser.
> But that's just a guess. I don't know what's exactly going on under the
> > LogonUser() really the right one, we use for the login procedure?
> When using password authentication or pubkey with saved password, yes.
> It's the one supported Win32 call to create a user token from user name
> and password. In contrast to a network share access, we need to create
> an interactive token using the LOGON32_LOGON_INTERACTIVE logon type.
But what's about the public key authentication without(!) a password? We
recognized, that there ist exactly the same amount of network traffic over
the ip-port 26, which means there is something going on with the group
policies, too. Although publickey authentication without a password is not
a real network logon.
Thanks for further informations or some ideas how to handle that.
Problem reports: http://cygwin.com/problems.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple