Martin Koeppe wrote:
>
> On Mon, 10 Nov 2008, Douglas E. Engert wrote:
>
>> Martin Koeppe wrote:
>>> Hi openssh developers,
>>>
>>> I'm trying to port openssh to Interix. See [1] for more on this.
>>>
>>> For Interix sshd needs to be patched to not use setuid()/setgid(),
>>> but an Interix specific function setuser(). See [2] why it is needed.
>>> Unfortunately, setuser() needs the clear-text password of the user to
>>> be fully functional (If you use password-less setuser(), then the
>>> user doesn't have network access rights, e.g. no access to a network
>>> home dir).

>>
>> Sounds like what you are trying to do is run the sshd on a Windows
>> machine, and get the user's windows password so they can "login"
>> to Windows?

>
> It's only partly right. Interix can be thought of a unix-like kernel
> running within the windows kernel. So you have all the unix syscalls
> and unix libc functions available. You also get unix-like file system
> semantics. I'd like to port sshd to this unix-like environment.
> The goal is not just to have "any" ssh login on windows, it's to enhance
> my port of Debian to interix.
>
> While setuid() is also available and basically functional, the right way
> to change to the user is - on interix - not setuid(), but setuser(). If
> setuser() gets no password, local access is granted, but for network
> access a new session would be needed. But if the password could be used
> for setuser(), then setuser() would allow network access to the new
> session. And sshd has the needed password in auth_passwd(), but not in
> permanently_set_uid().
>
>
>> If the sshd could use the GSSAPI and delegated credentials, it might
>> be possible to pass the Kerberos ticket into the LSA. This could give
>> you single sign on.
>> I believe with a registry setting, the Kerberos for Windows can do
>> something like this. You might want to ask on the kerberos@mit.edu list

>
>> From within the interix environment the only way to contact the LSA is

> over the built-in interix kerrnel functions like setuser(). Interix
> programs don't have access to the Win32 API.


But you did say that you wanted "newtwork access rights. i.e. no access
to a network home dir". I took that to imply that the Intrex is using the
underlying Windows file systems and that it uses the username and password
via the setuser() to get Widows credentials. The other way to get credentials
is to to pass in a Kerberos TGT, and I think Vista can allow this and KfW
can use it. So Intrix should be able to do this too.

>
> Martin
>
>
>> http://www.vandyke.com/products/vshell/index.html
>> might be another possibility.
>>
>>>
>>> The problem is now: How to get the clear-text password from
>>> auth-passwd.c:auth_password()
>>> to
>>> uidswap.cermanently_set_uid()
>>> where it would be needed as argument for setuser()?
>>>
>>> See [3] for the patch I'm currently using. My first idea would be to
>>> use the struct passwd pw_passwd field that is passed to
>>> permanently_set_uid() for storing the clear-text password after
>>> successful (password-)authentication.
>>>
>>> Before looking into details I just want to ask:
>>> Would such use of struct passwd be a security issue?
>>>
>>>
>>> Many thanks in advance
>>>
>>> Martin
>>>
>>>
>>> [1] http://www.debian-interix.net/
>>> [2]
>>> http://www.suacommunity.com/forum/tm...=setuser&#7061
>>>
>>> [3]
>>> http://www.debian-interix.net/debian...2.interdiff.gz
>>>
>>> _______________________________________________
>>> openssh-unix-dev mailing list
>>> openssh-unix-dev@mindrot.org
>>> https://lists.mindrot.org/mailman/li...enssh-unix-dev
>>>
>>>

>>
>> --
>>
>> Douglas E. Engert
>> Argonne National Laboratory
>> 9700 South Cass Avenue
>> Argonne, Illinois 60439
>> (630) 252-5444
>>

>
>


--

Douglas E. Engert
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/li...enssh-unix-dev