[cvsnt] Re: cygwin ssh server and author being set to SYSTEM

Pavel Goran pvgoran.ml at macondo.ru
Thu Jan 8 06:09:50 GMT 2004


Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.


Hello Tony,
Wednesday, January 7, 2004, 11:26:31 PM, you wrote:

>>The  authentication module could just check if the calling process has
>>enough  priveleges  to use NtCreateToken() and impersonate an user via
>>the  obtained  access  token - that is, if the process can make use of
>>the  currently used (in CygWin) "broken" impersonation. If this is the
>>case,  the  authentication  module  could  safely  proceed  with doing
>>whatever is needed for "normal", non-broken impersonation.
>>
TH> You can't do that with a subauth module - you get no information about
TH> the calling process or privileges of said process.
There  must  be a possibility for some kind of communication between a
process and the module (for example, a process can create a named pipe
and  pass  its  name  to  the  package  as  a password). Provided that
communication  is  possible,  the package can create a named pipe (and
thus  become the "named pipe server"), instruct the process to open it
(which thus becomes the "named pipe client"), impersonate the process'
user   by   calling  ImpersonateNamedPipeClient(),  and  actually  try
NtCreateToken() (and maybe other calls).

Pavel Goran





More information about the cvsnt mailing list
Download the latest CVSNT, TortosieCVS, WinCVS etc. for Windows 8 etc.
@CVSNT on Twitter   CVSNT on Facebook