This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Cygwin/OpenSSH authentication without applying group policies...


On Oct 21 08:39, Carsten.Porzler@spb.de wrote:
> Dear Cygwin community,
> 
> we are just having problems with some locations connect over WAN lines 
> with only little bandwith.
> 
> The logon process against a Win2003 AD domain controller takes much time 
> (>50s). After some analysis we found out that there is much traffic 
> between the SSH server and the domain controller over ip port 1026 (CAP, 
> used for applying/downloading the Win2003 group policies).
> 
> During a SSH logon it is not necessary to apply all group policies. 
> Instead it would be OK, if the user would just be authenticated and get 
> his group memberships.

That's not correct, unfortunately.  To construct a user token you must
know what user rights the user has since they are part of the token.
Cygwin itself does not ask for group policies and that stuff, it really
only requests information about the user rights of the user logging in.
Cygwin has no control about the information flow underneath the Win32
functions used to request this information.  A couple of months ago we
already had a discussion on this list about the login process being
slow.  The reason was an unnecessary loop asking for group membership,
but that should be fixed for a long time.

> Is it possible to deactivate applying the group policies during the SSH 
> logon process or to reconfigure the SSH service so that we can use LDAP 
> authentication instead of standard Win2003 authentication.

First of all, we can't support LDAP directly from ssh since that doesn't
allow us to create a user token.  What exactly is done depends on the
method used for creating the token.  You didn't tell us if you're using
password authentication or pubkey authentication.  With password
authentication it's entirely up to the Win32 call LogonUser() to create
that token and to manage that connection.  Using pubkey authentication
you have three choices described in the user's guide.  Maybe one of them
helps, see
http://cygwin.com/1.7/cygwin-ug-net/ntsec.html#ntsec-setuid-overview


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]