Cygwin/OpenSSH authentication without applying group policies...

Carsten.Porzler@spb.de Carsten.Porzler@spb.de
Tue Oct 27 09:11:00 GMT 2009


> On Oct 26 16:01, Carsten.Porzler@spb.de wrote:
> > Hello,
> > 
> > >   With password
> > > authentication it's entirely up to the Win32 call LogonUser() to 
create
> > > that token and to manage that connection.  Using pubkey 
authentication
> > > you have three choices described in the user's guide.  Maybe one of 
them
> > > helps, see
> > > http://cygwin.com/1.7/cygwin-ug-net/ntsec.html#ntsec-setuid-overview
> > > 
> > > 
> > My decripted problem occurs with password and public key (without 
saved 
> > password) authentication.
> > 
> > I just asked the question because we see during network tracing that 
the 
> > group policies are transferred to the client.
> > 
> > Other logon processes (e.g. mounting a network drive with another user 

> > than the logged on one) do not transfer the group policies. Is the 
call 
> 
> I assume they don't have to since they only need the network credentials
> and policies are perhaps checked on the server.  It looks like the
> underlying code uses something along the lines of
> LOGON32_LOGON_NEW_CREDENTIALS in a call to LoginUser.
> 
> But that's just a guess.  I don't know what's exactly going on under the
> hood.
> 
> > LogonUser() really the right one, we use for the login procedure?
> 
> When using password authentication or pubkey with saved password, yes.
> It's the one supported Win32 call to create a user token from user name
> and password.  In contrast to a network share access, we need to create
> an interactive token using the LOGON32_LOGON_INTERACTIVE logon type.
> 
But what's about the public key authentication without(!) a password? We 
recognized, that there ist exactly the same amount of network traffic over 
the ip-port 26, which means there is something going on with the group 
policies, too. Although publickey authentication without a password is not 
a real network logon.

Thanks for further informations or some ideas how to handle that.

Best regards

Carsten Porzler


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple



More information about the Cygwin mailing list