[cvsnt] Re: cygwin ssh server and author being set to SYSTEM

Pavel Goran pvgoran.ml at macondo.ru
Wed Jan 7 17:22:28 GMT 2004


Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.


>> If you allow users to login without passwords in that way, once that
>> package is on the system it's a potential wide open security hole...
> 
> Yes, unfortunately. IIRC there were also other issues, like breaking
> compatibility with the way cygwin currently handles user groups.
>
> I guess a secure SSH server would have to pass the public key to the
> authentication module, which would have to verify it against the user's
> private key, which would have to be stored in a secure location.
The  authentication module could just check if the calling process has
enough  priveleges  to use NtCreateToken() and impersonate an user via
the  obtained  access  token - that is, if the process can make use of
the  currently used (in CygWin) "broken" impersonation. If this is the
case,  the  authentication  module  could  safely  proceed  with doing
whatever is needed for "normal", non-broken impersonation.

Pavel Goran





More information about the cvsnt mailing list
Download the latest CVSNT, TortosieCVS, WinCVS etc. for Windows 8 etc.
@CVSNT on Twitter   CVSNT on Facebook