SSHD pubkey authentication

SSHD pubkey authentication

[Lapo Luchini]

It is possible to use pubkey authentication on NT?
I played a lot with ntsec,nontsec,ntea,nontea starting serrvice as
SYSTEM or as administrator

Result is that the SYSTEM user can't access
/home/*/.ssh/authorized_keys[2] no matter the modes or owners, only way
to use pubkey auth is to start the service as the user that wants to
connect, not a real solution..

As anyone got better?

I mean using the OpenSSH distro available now.

Thanks =)

--
Lapo 'Raist' Luchini
lapo@lapo.it (PGP & X.509 keys available)
http://www.lapo.it (ICQ UIN: 529796)



--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple

Re: SSHD pubkey authentication

[Corinna Vinschen]

On Tue, Apr 24, 2001 at 01:36:23PM +0200, Lapo Luchini wrote:
> It is possible to use pubkey authentication on NT?
> I played a lot with ntsec,nontsec,ntea,nontea starting serrvice as
> SYSTEM or as administrator
> 
> Result is that the SYSTEM user can't access
> /home/*/.ssh/authorized_keys[2] no matter the modes or owners, only way
> to use pubkey auth is to start the service as the user that wants to
> connect, not a real solution..
> 
> As anyone got better?

The reason is the restriction for changing user context on NT/W2K.
You can do this only by providing the password of that user, even
if the process is running under LocalSystem account.

> I mean using the OpenSSH distro available now.

I don't understand what you try to say with that sentence.

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple

Mail list page

[Vince Rice]

I had reason to go to the mail list page today (where you go when you click
the "unsubscribe" at the bottom of a message), and the Cygwin link doesn't
work.  I tried several others, and they worked fine.  I was going to send
this comment to "Suggestions", but that link didn't work either <g>.

Vince


--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple

Re: Mail list page

[Christopher Faylor]

On Tue, Apr 24, 2001 at 08:21:19AM -0500, Vince Rice wrote:
>I had reason to go to the mail list page today (where you go when you click
>the "unsubscribe" at the bottom of a message), and the Cygwin link doesn't
>work.

I'll rectify this.  In the meantime you'll have to make do with using the
cygwin web page:  http://cygwin.com/ .  I would suggest that this is probably
a good starting place for all cygwin inquiries.

>I tried several others, and they worked fine.  I was going to send this
>comment to "Suggestions", but that link didn't work either <g>.

I'm not sure what <g> means but if you have found an inoperable link, please
send the URL here.

cgf

--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple

Re: SSHD pubkey authentication

[Lapo Luchini]

> The reason is the restriction for changing user context on NT/W2K.
> You can do this only by providing the password of that user, even
> if the process is running under LocalSystem account.
I feared that =(

Thanks anyway for the confirm =)

> > I mean using the OpenSSH distro available now.
> I don't understand what you try to say with that sentence.
I meant something like: please don't answer me "just patch, hack,
recompile and you can do it"
The problem with recompiling is that I must use ssh in a system which is
not mine ans they would not accept to use a "ercompiled" version of ssh.
Anyway the problem is at the source of W2K authentication as you said,
so there is no such problem...

--
Lapo 'Raist' Luchini
lapo@lapo.it (PGP & X.509 keys available)
http://www.lapo.it (ICQ UIN: 529796)

--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple

Re: SSHD pubkey authentication

[Lapo Luchini]

> The reason is the restriction for changing user context on NT/W2K.
> You can do this only by providing the password of that user, even
> if the process is running under LocalSystem account.
>
But then how can IIS authenticate (in https) using only private key?

Of course they have some special access to some special not documented
API to change active user?

--
Lapo 'Raist' Luchini
lapo@lapo.it (PGP & X.509 keys available)
http://www.lapo.it (ICQ UIN: 529796)



--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple

Re: SSHD pubkey authentication

[Corinna Vinschen]

On Tue, May 01, 2001 at 04:34:05PM +0200, Lapo Luchini wrote:
> > The reason is the restriction for changing user context on NT/W2K.
> > You can do this only by providing the password of that user, even
> > if the process is running under LocalSystem account.
> >
> But then how can IIS authenticate (in https) using only private key?
> 
> Of course they have some special access to some special not documented
> API to change active user?

No, they are using a so-called "subauthentication package". I'm just
preparing one for Cygwin but the information which are provided by
Microsoft are very spare. However, we will be able to login to a
system without a password in future but with substantial constraints,
probably. A logon without password will not be able to connect to network
drives unless somebody can show me how to solve that problem.

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple