[Cvsnt] Re: [jakomail at emss.co.za: Re: User context switch in sshd using RSAAuthentication]

Peter Yamamoto pyamamoto at blueshiftinc.com
Sat Dec 15 18:58:32 GMT 2001


Hmmm, Heated discussion...

I think the important thing to observe here is that people are still
learning from both sides about what the issues are.

People who don't know or misunderstand will occasionally spout crap.
C'est la vie.

I learned something from reading this post, so I thank you both for
sharing.

Keep up the good work, there are people who do appreciate everybody's
efforts even if they never really realize it!-)

$0.02
Peter

-----Original Message-----
From: Corinna Vinschen [mailto:vinschen at redhat.com]
Sent: Saturday, December 15, 2001 10:46 AM
To: cvsnt at cvsnt.org
Subject: [Cvsnt] Re: [jakomail at emss.co.za: Re: User context switch in
sshd using RSAAuthentication]


terris at terris.com wrote:
> Hi,
>
> I just wanted everyone here to know that Corinna and
> I discussed this offline.  Corinna brings up some
> issues that I obviously was not aware of.  It seems that
> CVSNT is working around a real problem in the NT
> kernel in which all attempts to get the effective user
> name or SID returns 'SYSTEM', which sucks hard.

Yes, definitely.  Up to this point, thanks for bring that
into public.

> I had discussed this before on a previous list
> (ssh-d) and this is the first time I've heard the facts
> and I appreciate Corinna for taking the time to
> educate me.
>
> At any rate, VanDyke's vshell works, so I wonder
> what they do.  Unless Tony and Corinna can find

They are using a so called `LSA authentication module'.  This is what
I'd like to do by myself and which I actually tried to get more
information about in the past months.  Unfortunately the Microsoft
documentation on that issue is more or less non-existant and there's
no sample code available.  Besides that, VShell is >= 249 USD and
apparently not open source.

> a solution, I don't think cygwin's openssh implementation
> is very usable unless you use password
> authentication, which I think is fine for the majority
> of CVS users.

But that's actually not true.  The pubkey authentication is very
usable.  You're just thinking `cvsnt', not a full Cygwin environment.
Don't forget that Cygwin has it's own cvs port.  This cvs port has
obviously no problem with the above NT problems in the GetUserName()
and LookupAccountSid() functions since it's using the POSIX functions
provided by the Cygwin DLL, not the native WIn32 calls.

> Perhaps openssh should not even
> claim to support public key authentication?  It

That's a joke, hopefully.  I'm under the impression you still didn't
get that the user context switch is not in OpenSSH but in the Cygwin
DLL itself.  Each process with appropriate user rights can use the
Cygwin internal `setuid()' call which in turn uses NtCreateToken().

> just generates email traffic like this.  There should
> at least be some sort of disclaimer.  I
> warn the readers of devguy.com at
> http://devguy.com/fp/cfgmgmt/cvs/cvs_ssh.htm,
> but that page reaches a small minority of the NT
> SSH population.

What's that crap?  The user context switch in Cygwin WORKS!
Take a look into the Task Manager.  It shows that these
switched processes are running under the correct user account.
The problem ONLY arises inside the switched processes and it
is ONLY the user name which is incorrectly returned by the
above mentioned Win32 calls.  The SIDs of user and groups inside
of the process token are correct!

Please, don't discredit another open source project when you
didn't actually understand the internals.

Corinna

--
Corinna Vinschen
Cygwin Developer
Red Hat, Inc.
mailto:vinschen at redhat.com
_______________________________________________
Cvsnt mailing list
Cvsnt at cvsnt.org
http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt
_______________________________________________
Cvsnt mailing list
Cvsnt at cvsnt.org
http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt



More information about the cvsnt mailing list