This is the mail archive of the cygwin@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: OpenSSH key auth causes invalid logon


On Thu, Jun 13, 2002 at 05:48:17PM -0400, Mark Bradshaw wrote:
> Corinna,
> 
> I've noticed that OpenSSH, when doing key authentication, caused an invalid
> logon.  If enough instances occurred the account being logged into was
> locked.  This didn't usually happen when just logging in, but was more
> common when scripting events.  Of course it's pretty common to use key auth
> when scripting remote calls.
> 
> While digging I found that this invalid login occurs when OpenSSH tries the
> "none" authentication method.  When I modified the code to just return 0 on
> a none attempt the invalid login went away.  I can't think of a valid time
> when "none" should work on a windows box.  Disabling it doesn't affect key
> or password auth.  Can you think of any adverse effect to disabling "none"
> under Cygwin?

No, I can't.  OTOH, I don't quite understand what you mean by
"invalid logon".  When using pubkey authentication under Cygwin,
Windows doesn't get any logon attempt.  The logon is done by
creating a handcrafted user token so I wonder what you mean
by "the account was locked".  Do you mean in the SAM?  And I'm
also wondering what the auth method has to do with it.  The
auth method has a meaning only in ssh.  There's just one exception,
the password authentication which is actually implemented by
calling LogonUser() at one point.  So the only situation I could
think of currently is when the auth method none accidentally(?)
branches into the password authentication code inside of sshd.

Hang on.

*dig, dig*

Ok, auth methode "none" is actually implemented by calling
auth_password().  Thinking about that, it makes sense.  And it's
not invalid to enable that on Cygwin since it's a possible and
legel case on 9x/Me systems.  I think I see what the problem is.
On NT, the PermitEmptyPassword test in auth_password() is disabled.
That's obviously incorrect.  I've no idea how long that code is
already in OpenSSH.  Perhaps the core team changed that code
slightly at one point and I didn't get that.  I'll propose the
change to eliminate the special handling for NT.  This allows
empty passwords only if PermitEmptyPassword is "yes" also on NT.
That should solve your "none" problem as well.

Thanks for the report,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]