[cvsnt] Patch proposal: $Author substitution with cygwin sshd and RSA keys
Markus Kuehni
markus.kuehni at trilab.ch
Fri Mar 19 09:58:21 GMT 2004
Hi
I followed some of the conversations in the mailing list archives of cvsnt
and cygwin regarding the sshd impersonation problem. It still seems very
much unresolved.
Here is a proposed patch (attached).
**BUT** I can't test it, as I don't have MSVC 7 (only 6) and can't build the
solution. Judging from the getcaller() description it should work, though...
Background:
Cygwin sshd seems to use a "imperfect" Windows impersonation when using RSA
key authentication so cvsnt still gets "SYSTEM" when calling GetUserName()
in win32getlogin().
The patch tells getcaller() routine to use the $LOGNAME or $USER environment
variable if getlogin() which calls win32getlogin() returns "SYSTEM".
According to its description, getcaller() is only used for non-critical
stuff such as the $Author substitution. So the patch should in no way affect
security. On the other hand, maybe it would even be save to patch
win32getlogin() generally.
Some possibilities:
1. the patch gets accepted and a new release is made available for download
sometime soon ;-)
2. somebody can send me a MSVC6 project and/or Makefile so I can test it
myself (and deploy the patched version)
3. somebody has a MSVC 7 and cvsnt checked out and could send me the
patched-built DLLs/EXEs
BTW, does the "imperfect impersonation" of sshd otherwise adversely affect
cvsnt operation?
Thanks for all help,
Mark
More information about the cvsnt
mailing list