[Cvsnt] Re: [jakomail at emss.co.za: Re: User context switch in sshd using RSAAuthentication]

Corinna Vinschen vinschen at redhat.com
Sun Dec 16 11:42:21 GMT 2001 

On Sat, Dec 15, 2001 at 11:48:54PM +0000, Tony Hoyle wrote:
> Corinna Vinschen wrote:
> > They are using a so called `LSA authentication module'.  This is what
> > I'd like to do by myself and which I actually tried to get more
> > information about in the past months.  Unfortunately the Microsoft
> > documentation on that issue is more or less non-existant and there's
> > no sample code available.  Besides that, VShell is >= 249 USD and
> > apparently not open source.
>
> Personally I wouldn't trust a closed-source authentication module as far
> as I could throw it - it's bad enough trying to keep on top of the bugs
> in the MS stuff without third party authentication keeping me awake at
> nights...

Agree.  What actually sucks is that there's not _one_ source code
for such a module.  All modules I ever saw are proprietary implementations
and cost $$$.  Perhaps there's a chance to create our own common
open source LSA auth module if we're working together?!?

> There is nothing to stop cvsnt & cygwin hooking the GetUserName() function with an
>
> API hook - this is documented quite well in MSDN and would mean that all
> NT programs which relied on this would return the correct user.

Hum, that's just another way of workaround but it would be ok
as long as we don't have a formally correct user context switch.
Unfortunately I never hooked a Win32 function.  Could you give me
a pointer here?  Oh, and don't forget to hook LookupAccountSid().

> What would be better of course is for someone to reverse-engineer the
> GetUserName function and work out *why* it sucks so badly - it might be
> possible to fix it somehow.

For us?  As I already wrote in private mail to Terris, I asked
on microsoft mailing lists for that problem and just got no
response... as usual when asking for anything security related
developer problems.  I didn't get a response when asking for
documentation on LSA auth modules and I didn't get a response
when asking for sample source code.  Too bad.  And I'm not good
in reverse engineering.  That requires to know i386 assembler
language...

Corinna

--
Corinna Vinschen
Cygwin Developer
Red Hat, Inc.
mailto:vinschen at redhat.com
_______________________________________________
Cvsnt mailing list
Cvsnt at cvsnt.org
http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt

More information about the cvsnt mailing list