This is the mail archive of the cygwin@sourceware.cygnus.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]

Re: ssh and authorized_keys


Christian Engwer wrote:
> 
> Thanks for your help Chuck,
> 
> but doesn't this mean, that I don't have the chance to enter the
> NT-account without a password prompt?

That is correct. I looked at this back in December, and from what I could tell, the only way for the child process daemon to change its user credentials under NT is to authenticate via NT's password
mechanism. Now, you COULD maintain some sort of separate encrypted password database (perhaps in the /etc/passwd file? <g>) so that once a user authenticated via RSA, the child process could look up
and unencrypt the password and then use that to authenticate to the underlying NT security system, thus changing its run-time credentials.

A few drawbacks:

  1) adding things to the /etc/passwd file might mess up Corinna Vinschen's ntsec stuff

  2) you can't use the standard unix 'hash(password)' == 'stored value' method of verifying a password. You need the actual password in plaintext to authenticate to the underlying NT security system.

  3) SO, there needs to be a master key somewhere [the host private key?] that can be used to unencrypt everything in the SSH password database (whether it's in /etc/passwd or somewhere else). This is
obviously a HUGE security risk

  4) What if you're using multiple SSH daemons? (SSH1, SSH2, a version running as a service on the 'system' or 'Administrator' account, a personal version run as a regular user using a high port,
etc.). Which of the several host private keys should be used to encrypt the SSH password database? Should each daemon have its own password database encrypted with its own key? 

  5) This database needs to be updated regularly to sync with the *actual* password database that NT uses. This problem gets worse if there are multiple SSH password databases. And HOW do you
automatically extract the plaintext password from the NT security system in the first place? Is it even possible?
------

One way of solving a lot of these problems is to "initialize" the ssh daemon. In other words, login once using password authentication. Then, the sshd stores the password in memory (encrypted using
the server key; the server key is regenerated every hour [usually] so the in-memory database needs to be re-encrypted each time the server key changes). After than, RSA authentication could work,
since once the user is RSA-authenticated, the daemon looks up the password in the encrypted in-memory database, unencrypts it using the server key, and performs the authentication/credential update in
the NT security system.

You'd have to reinitialize the SSH daemon each time the service restarted or the machine rebooted.

This is a pretty big project, which is why I bailed out - I was busy getting the usr/local package at cygutils.netpedia.net together and didn't want to get sidetracked. Password authentication worked,
and that was enough for me.

--Chuck





> 
> For me it is essential to enter whith out any action, because we have a
> heterogenous cluster with NT-, linux- and soon also hurd-systems. because
> of all this I can't use any NT-remote-admin-tools. Now I hoped I could use
> ssh instead.
> 
> CU Christian
> 
> > Christian -
> >  you need to enable 'password authentication' in your sshd file. The cygwin
> >  port of ssh does not support RSA authentication. The exchange of
> >  information is still encrypted, though, so your password is not sent in
> >  the clear.
> >
> > --Chuck
> 
> --
> Want to unsubscribe from this list?
> Send a message to cygwin-unsubscribe@sourceware.cygnus.com

--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe@sourceware.cygnus.com


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]