* Re: Initial patch to implement partial auth with SSH2
@ 2001-04-23 7:44 Karl M
0 siblings, 0 replies; 4+ messages in thread
From: Karl M @ 2001-04-23 7:44 UTC (permalink / raw)
To: cygwin
Hi All...
I am currently running OpenSSH 2.5.2p2 with multiple (sequential)
authentication modes in a WinNT/Win2k srvany sshd server environment. That
is: to login, I first type a passphrase for my ssh2 rsa (or dsa) key, then I
type the password on the local machine. It is working great and gives the
security improvement I was looking for.
For now, the recipe is as follows:
1) Download and install the latest CygWin code (including source for both
openssh and openssl).
2) Download Carson Gaspar's 3-28-01 patch from the OpenSSH Archives.
3) cd /openssh-2.5.2p2
4) ./configure --prefix=/usr --sysconfdir=/etc --libexecdir=/usr/sbin
5) edit defines.h, line 439 and uncomment the `#define USE_PIPES 1'
6) apply the Partial Authentication Patch
7) edit auth2.c, comment out the call to check_nt_auth at the end of
userauth_pubkey
8) make
9) copy sshd.exe to /usr/sbin (stopping the sshd service as needed)
10) edit /etc/sshd_config, change Protocol whatever line to 'Protocol 2',
change StrictModes from yes to no, and add the following line near the
bottom of the file 'AuthOrder2 publickey:password'
You can now run the service from LocalSystem and have rsa/dsa authentication
from multiple users. The login sequence will now look like:
user@machine ~
$ ssh localhost
Enter passphrase for key '/home/user/.ssh/id_rsa':
Authenticated with partial success.
user@localhost's password:
Last login: Mon Apr 23 00:07:17 2001 from machine
user@machine ~
$
I hope this is helpful.
Thanks,
...Karl
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com
--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Initial patch to implement partial auth with SSH2
@ 2001-04-20 7:32 Karl M
0 siblings, 0 replies; 4+ messages in thread
From: Karl M @ 2001-04-20 7:32 UTC (permalink / raw)
To: cygwin
Hi Corinna...
I was thinking...for the CygWin environment (on WinNT and Win2k) we could
avoid the problem of where to place a new call to check_nt_auth and
auth_password by requiring that if the ssh and sshd user-ids are different,
that password authentication is required (which was the reason I was
interested in this in the first place). I can do that for now by using
Authorder2 publickey:password
and commenting out the check in userauth_publickey.
Thanks,
...Karl
>From: Corinna Vinschen <vinschen@redhat.com>
>To: cygwin@cygwin.com, openssh-unix-dev@mindrot.org
>Subject: Re: Initial patch to implement partial auth with SSH2
>Date: Fri, 20 Apr 2001 13:13:54 +0200
>
>On Fri, Apr 20, 2001 at 01:29:42AM -0700, Karl M wrote:
> > Hi All...
> >
> > I've been experimenting with the partial authorization patch for
> > OpenSSH-2.5.2. I'm using CygWin on a Windows 2000 (SP1) box.
> >
> > I noticed a bug in the patch that shows up for CygWin users. The problem
>is
> > that publickey authentication only works if sshd is running with the
>same
> > user-id as the ssh client. When I run sshd as a service with a user-id
>of
> > LocalSystem publickey authentication fails.
> >
> > This is because the check_nt_auth call in userauth-pubkey fails if the
>ssh
> > user-id is different from the sshd user-id.
> >
> > It looks to me like userauth_pubkey needs to "suspend disbelief" (and
>not
> > call check_nt_auth and auth_password) for partial authentication, in the
> > hope that a password may come later. Then somewhere check_nt_auth
> > auth_password need to be called to make sure that we don't forget to set
>the
> > sshd user-id to the ssh user-id.
>
>Since the original partial authorization patch isn't applied yet,
>you're somwhat on your own. Why don't you simply override the
>check in `check_ntsec' for now?
>
>Corinna
>
>--
>Corinna Vinschen
>Cygwin Developer
>Red Hat, Inc.
> mailto:vinschen@redhat.com
>
>--
>Want to unsubscribe from this list?
>Check out: http://cygwin.com/ml/#unsubscribe-simple
>
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com
--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Initial patch to implement partial auth with SSH2
2001-04-20 1:29 Karl M
@ 2001-04-20 4:14 ` Corinna Vinschen
0 siblings, 0 replies; 4+ messages in thread
From: Corinna Vinschen @ 2001-04-20 4:14 UTC (permalink / raw)
To: cygwin, openssh-unix-dev
On Fri, Apr 20, 2001 at 01:29:42AM -0700, Karl M wrote:
> Hi All...
>
> I've been experimenting with the partial authorization patch for
> OpenSSH-2.5.2. I'm using CygWin on a Windows 2000 (SP1) box.
>
> I noticed a bug in the patch that shows up for CygWin users. The problem is
> that publickey authentication only works if sshd is running with the same
> user-id as the ssh client. When I run sshd as a service with a user-id of
> LocalSystem publickey authentication fails.
>
> This is because the check_nt_auth call in userauth-pubkey fails if the ssh
> user-id is different from the sshd user-id.
>
> It looks to me like userauth_pubkey needs to "suspend disbelief" (and not
> call check_nt_auth and auth_password) for partial authentication, in the
> hope that a password may come later. Then somewhere check_nt_auth
> auth_password need to be called to make sure that we don't forget to set the
> sshd user-id to the ssh user-id.
Since the original partial authorization patch isn't applied yet,
you're somwhat on your own. Why don't you simply override the
check in `check_ntsec' for now?
Corinna
--
Corinna Vinschen
Cygwin Developer
Red Hat, Inc.
mailto:vinschen@redhat.com
--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Initial patch to implement partial auth with SSH2
@ 2001-04-20 1:29 Karl M
2001-04-20 4:14 ` Corinna Vinschen
0 siblings, 1 reply; 4+ messages in thread
From: Karl M @ 2001-04-20 1:29 UTC (permalink / raw)
To: cygwin; +Cc: openssh-unix-dev
Hi All...
I've been experimenting with the partial authorization patch for
OpenSSH-2.5.2. I'm using CygWin on a Windows 2000 (SP1) box.
I noticed a bug in the patch that shows up for CygWin users. The problem is
that publickey authentication only works if sshd is running with the same
user-id as the ssh client. When I run sshd as a service with a user-id of
LocalSystem publickey authentication fails.
This is because the check_nt_auth call in userauth-pubkey fails if the ssh
user-id is different from the sshd user-id.
It looks to me like userauth_pubkey needs to "suspend disbelief" (and not
call check_nt_auth and auth_password) for partial authentication, in the
hope that a password may come later. Then somewhere check_nt_auth
auth_password need to be called to make sure that we don't forget to set the
sshd user-id to the ssh user-id.
Thanks,
...Karl
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com
--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2001-04-23 7:44 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2001-04-23 7:44 Initial patch to implement partial auth with SSH2 Karl M
-- strict thread matches above, loose matches on Subject: below --
2001-04-20 7:32 Karl M
2001-04-20 1:29 Karl M
2001-04-20 4:14 ` Corinna Vinschen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).