This is the mail archive of the cygwin@sources.redhat.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]

Re: Problem with sshd on WindMill


On Thursday 14 December 2000 23:34, Rob_Hannah@deluxe.com wrote:
> One note to an earlier response when I didn't have the user specified
> in the /etc/passwd file (something like 'Sounds like a security
> hole').  How is it a security hole?  In order to get access to the
> sshd box, I have to send my public key file to that box and have the
> owner (in this case me) add it to the ~/.ssh/authorized_keys file. 
> Another difference is in password lengths.  Std Unix is 8 bytes.  I
> use a 24-byte passphrase for my RSA and DSA keys...

This isn't related to RSA/DSA encryption or passphrases vs passwords.
A simple question: How shall sshd recognize where the home directory
of the user is which just tries to logon to find the ~/.ssh directory?
The only chance is a correct entry in /etc/passwd with a correct home
directory set up.

The security hole: Which user is logging in to the system if the
user is unknown by the system? An unknown user should always and
under all circumstances be refused by sshd.

> Also, under Windows Millenium (i.e., any non-NT+), how are users
> obtained by mkpasswd in the generation of the /etc/passwd file?  If
> it just uses the current user, then I lose my changes every time I
> run the Cygwin setup.exe as it auto-executes mkpasswd whenever I run
> it.

9x systems doesn't have a real concept of different users. As a
result the output of mkpasswd is sort of faked. The only information
is the name of the current user stored by the system and retrieved by
the win32 call GetUserName(). So `mkpasswd' is behaving correctly
from my point of view. You can claim that `setup' shouldn't call
`mkpasswd' if /etc/passwd already exists (equiv. for `mkgroup').

> Note: below is reposted as I think I sent it to the wrong address
> earlier...

The address was ok as you should have noted by receiving your mail
(and my answer) from the mailing list server. However, I asked for
the output of ssh -v and sshd -d when logging in with an existing user
which could contain more appropriate info.

Corinna

-- 
Corinna Vinschen
Cygwin Developer
Red Hat, Inc.
mailto:vinschen@redhat.com

--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe@sourceware.cygnus.com


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]