OpenSSH public key authentication: suspicios in domain environment.

Konstantin Andreev pkl@datatech.ru
Thu Sep 16 19:17:00 GMT 2004


Suppose, I have Windows XP workstation (TEX), member of domain DOM
(Microsoft Windows Networking), and Cygwin/SSH daemon are running
on this workstation (TEX).

Suppose, on TEX, I set up record in /etc/passwd for domain user DOMUSR.

If I logon on TEX as DOMUSR with password authentication, this logon
is indistinguishable from regular local logon to TEX:

   - record in Security Log appeares
   - command shell is assigned with identical Access Token, and
     privileges.
   - command shell is running under DOMUSR account.

But, if I try to logon on TEX as DOMUSR with public key authentication,
logon succeeds, but strange things appears:

   - *NO* record appears in Security Log about logon event.
   - command shell has strange Access Token, in particular, it does
     not contain these SIDS:
         - Logon SID  (S-1-5-5-0-...)
         - S-1-5-4  NT AUTHORITY\INTERACTIVE
         - S-1-2-0  \LOCAL
   - command shell holds all privileges enabled (like SYSTEM process),
     whereas some of the privileges should be disabled.
   - some utilities consider command shell process as running under
     "NT AUTHORITY\SYSTEM" account, in particular, "whoami.exe" from
     "Windows Server 2003 Resource Kit Tools".

Could anybody comment this ?

-- -
TOR Trade Company, IT Department,
Konstantin Andreev.



--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/



More information about the Cygwin mailing list