This is the mail archive of the cygwin@cygwin.com mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: OpenSSH key auth causes invalid logon

From: Jason Tishler <jason at tishler dot net>
To: cygwin at cygwin dot com
Date: Fri, 14 Jun 2002 07:17:25 -0400
Subject: Re: OpenSSH key auth causes invalid logon
References: <911C684A29ACD311921800508B7293BA037D30CC@cnmail><20020614101327.B30892@cygbert.vinschen.de>

On Fri, Jun 14, 2002 at 10:13:27AM +0200, Corinna Vinschen wrote:
> On Thu, Jun 13, 2002 at 05:48:17PM -0400, Mark Bradshaw wrote:
> > I've noticed that OpenSSH, when doing key authentication, caused
> > an invalid logon.  If enough instances occurred the account being
> > logged into was locked.
> [snip]
> No, I can't.  OTOH, I don't quite understand what you mean by
> "invalid logon".  When using pubkey authentication under Cygwin,
> Windows doesn't get any logon attempt.  The logon is done by
> creating a handcrafted user token so I wonder what you mean
> by "the account was locked".
> [snip]

We are also plagued by this problem.  One of our CVS servers is running
NT -- please don't ask why. :,)  Before I joined the company, everyone
was accessing the CVS repository using "local" access via CIFS -- again
please don't ask why. :,)  This access method was causing all kinds
of performance, permission, and locking problems.  So, I recommended
setting up Cygwin OpenSSH on this server to solve these problems.

Although using ssh solved the above problems, we noticed that people
started to get locked out of their NT accounts -- they couldn't login,
access email, map shares, etc.  We traced the problem down to the
combination of using ssh *and* that we had a three invalid logons will
lock the account policy.

Unfortunately, because of the above problem most people are still using
"local" access even when remote.  This causes CVS operations to typically
run 10 - 20 times slower than when using client/server mode.  Sigh...

> [snip]
> On NT, the PermitEmptyPassword test in auth_password() is disabled.
> That's obviously incorrect.  I've no idea how long that code is
> already in OpenSSH.  Perhaps the core team changed that code
> slightly at one point and I didn't get that.  I'll propose the
> change to eliminate the special handling for NT.  This allows
> empty passwords only if PermitEmptyPassword is "yes" also on NT.
> That should solve your "none" problem as well.

Corrina, thanks for the above.

> Thanks for the report,

Mark, thanks for tracking down this problem.

Jason

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Follow-Ups:
- Re: OpenSSH key auth causes invalid logon
  - From: Corinna Vinschen

References:
- OpenSSH key auth causes invalid logon
  - From: Mark Bradshaw
- Re: OpenSSH key auth causes invalid logon
  - From: Corinna Vinschen

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]