This is the mail archive of the
cygwin-apps
mailing list for the Cygwin project.
Updated: 1.7.0-33 (New method to logon without password ... with password)
- From: Corinna Vinschen <corinna-cygwin at cygwin dot com>
- To: cygwin-developers at cygwin dot com, cygwin-apps at cygwin dot com
- Date: Wed, 26 Nov 2008 13:42:59 +0100
- Subject: Updated: 1.7.0-33 (New method to logon without password ... with password)
Hi,
I just uploaded a cygwin-1.7.0-33 release which contains the new feature
explained below.
For a long time we have the feature that you can use ssh or rsh or
cron without password. But all methods which don't use a password have
a major drawback: The user token has no credentials which allow the
usual simple network access without additional hassle. This makes, for
instance, automated remote scripting which need network access a rather
painful experience.
Interix, OTOH, has a command called `regpwd', which allows to specify a
password for the current user, which then is stored in some hidden,
obfuscated area in the registry (HKLM\SECURITY\Policy\Secrets). This
same area in the registry is also used by the OS to store passowrds of
accounts running Windows services.
The latest changes I applied today add this ability to Cygwin as well.
I'm only disappointed that it took me so long because the LSA functions
to access this area are documented since ages and I've read the LSA docs
a lot. Oh well.
When a privileged process calls setuid/seteuid, Cygwin now first checks
if a password has been stored for the uid given as argument. It checks
in two locations, the one maintained by Cygwin as well as the one
maintained by Interix. So, if your account has already a password
stored by Interix' regpwd, you can just use it in Cygwin. If a password
is found, it's used in a call to LogonUser. If this call succeeds, the
token is used to switch the user context and you get all your usual
network access "for free"(*). Otherwise Cygwin falls back to the other
methods, LSA authentication using Cygwin's LSA authentication DLL, or
using NtCreateToken as last resort.
To store a password in the registry, use the new -R/--reg-store-pwd
option to passwd(1). Note that storing a password in the registry this
way is a privileged operation. It's only accessible to Administrators.
When a normal user wants to store a password in the registry this way,
a workaround is necessary. The workaround is cygserver running as
privileged service. So, when cygserver is running, even a normal user
can enter his/her password with
bash$ CYGWIN=server passwd -R
I also added the changes to passwd to the docs (which I uploaded to
http://cygwin.com/1.7/cygwin-ug-net.html and
http://cygwin.com/1.7/cygwin-ug-net/cygwin-ug-net.html), but there's
still a lot missing in the ntsec documentation. Sorry about that.
Have fun,
Corinna
(*) "for free" isn't quite right, of course. You're giving up on
security. The passwords are stored two-way encrypted in a registry
area only accessible to admins and the system. The Cygwin password
is accessible only for local admins, not from remote as is the
Interix password. However, if somebody gets admin access to your
machine, you lost. OTOH, if somebody got admin access to your
machine anyway, you probably have other, more pressing problems.
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Red Hat