Updated: 1.7.0-33 (New method to logon without password ... with password)

Corinna Vinschen corinna-cygwin@cygwin.com
Wed Nov 26 12:44:00 GMT 2008


Hi,

I just uploaded a cygwin-1.7.0-33 release which contains the new feature
explained below.

For a long time we have the feature that you can use ssh or rsh or
cron without password.  But all methods which don't use a password have
a major drawback:  The user token has no credentials which allow the
usual simple network access without additional hassle.  This makes, for
instance, automated remote scripting which need network access a rather
painful experience.

Interix, OTOH, has a command called `regpwd', which allows to specify a
password for the current user, which then is stored in some hidden,
obfuscated area in the registry (HKLM\SECURITY\Policy\Secrets).  This
same area in the registry is also used by the OS to store passowrds of
accounts running Windows services.

The latest changes I applied today add this ability to Cygwin as well.
I'm only disappointed that it took me so long because the LSA functions
to access this area are documented since ages and I've read the LSA docs
a lot.  Oh well.

When a privileged process calls setuid/seteuid, Cygwin now first checks
if a password has been stored for the uid given as argument.  It checks
in two locations, the one maintained by Cygwin as well as the one
maintained by Interix.  So, if your account has already a password
stored by Interix' regpwd, you can just use it in Cygwin.  If a password
is found, it's used in a call to LogonUser.  If this call succeeds, the
token is used to switch the user context and you get all your usual
network access "for free"(*).  Otherwise Cygwin falls back to the other
methods, LSA authentication using Cygwin's LSA authentication DLL, or
using NtCreateToken as last resort.

To store a password in the registry, use the new -R/--reg-store-pwd
option to passwd(1).  Note that storing a password in the registry this
way is a privileged operation.  It's only accessible to Administrators.
When a normal user wants to store a password in the registry this way,
a workaround is necessary.  The workaround is cygserver running as
privileged service.  So, when cygserver is running, even a normal user
can enter his/her password with

  bash$ CYGWIN=server passwd -R

I also added the changes to passwd to the docs (which I uploaded to
http://cygwin.com/1.7/cygwin-ug-net.html and
http://cygwin.com/1.7/cygwin-ug-net/cygwin-ug-net.html), but there's
still a lot missing in the ntsec documentation.  Sorry about that.


Have fun,
Corinna


(*) "for free" isn't quite right, of course.  You're giving up on
    security.  The passwords are stored two-way encrypted in a registry
    area only accessible to admins and the system.  The Cygwin password
    is accessible only for local admins, not from remote as is the
    Interix password.  However, if somebody gets admin access to your
    machine, you lost.  OTOH, if somebody got admin access to your
    machine anyway, you probably have other, more pressing problems.

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat



More information about the Cygwin-developers mailing list