ssh access problems

RE: ssh access problems (Rodney)

Fri, 14 Oct 2005 15:21:29 GMT

> Does it mean that you have no possibility to create a "network enabled" token when you don't have the password?

Correct.

> It is not that you don't trust ssh or it would be to much effort, but you really have no chance to create such a token?

Correct.
When I wrote setuser(), setuid(), and setgid() in the Softway days (pre-MS) I worked out how to create tokens
in the Interix subsystem without relying on the LSA to provide them (the typical way). This is how these API's
can work like on regular Unix without a password.
(I had one header file and a debugger to figure out how to do this. There was no assistance from MS or looking at any src code.)
One compromise I had to make at the time was a security identifier assigned by the LSA. There was no API
external to the LSA to generate this correctly. This is what restricts network access. However, after thinking
about it for a while we (the r+d group) thought this was reasonable and actually responsible since the no password
thing was going to be used by programs like rsh and rlogin.

> But there would still be the chance to make a "ssh_regpwd" to register the passwords on every host?

Yes, this is possible. I don't know if this would be "good" or not.
I'd want to ponder on it for a while.

RE: ssh access problems (hp)

Fri, 14 Oct 2005 14:08:47 GMT

Just for my understanding:
Does it mean that you have no possibility to create a "network enabled" token when you don't have the password?
It is not that you don't trust ssh or it would be to much effort, but you really have no chance to create such a token?

But there would still be the chance to make a "ssh_regpwd" to register the passwords on every host?

I ask this because I really want to understand what's going on deep down there in the Windows Kernel.

RE: ssh access problems (Rodney)

Fri, 14 Oct 2005 13:17:30 GMT

> > When you don't provide a password you have local machine access only.
>
>Will this be added in future, or are there security issues that forbid such a mechanism?

Won't be added in the future because there is no mechanism to do so. Essentially the
trust that the local machine is giving the logged in user is not automatically extended
to other machines in the network without a password. When no password is provided there is
no mechanism to create a "network enabled" token. Once a password is given then the "usual"
security paths are followed which will allow network access.

RE: ssh access problems (hp)

Fri, 14 Oct 2005 12:04:33 GMT

Ok, thank you!

> When you don't provide a password you have local machine access only.

Will this be added in future, or are there security issues that forbid such a mechanism?

RE: ssh access problems (Rodney)

Fri, 14 Oct 2005 10:27:45 GMT

> Could you please confirm this:

That quote was from December, 2004. A while back now.
The current state is:
When you provide a password you have a security token that can access network drives.
When you don't provide a password you have local machine access only.

>And there is no "regpwd for ssh"?

The "secret" details of regpwd are not known by me.

RE: ssh access problems (hp)

Fri, 14 Oct 2005 05:55:02 GMT

ORIGINAL: Rodney
The user's account does not have permissions on it's token for network access.
It's the way it is right now. It would take a lot of work to change this so that the
SSH security doesn't get broken/compromised. It's a case of funding the work because it
will take a non-trivial amount of time & effort.

Could you please confirm this:
When logging in to the Interix host with ssh, the user never has network access, even when providing his password to ssh?
And there is no "regpwd for ssh"?

RE: ssh access problems (ncx)

Thu, 30 Dec 2004 05:08:59 GMT

Thanks for the reply.

I understand the ssh security needs but why use the windows authentification mechanisms if it is not possible to use the domain accounts to open an ssh session ?
i can't modify the homedir for each domain account and even if the syntax machineName+localAccount works, the permission still denied "Could not chdir to home directory /dev/fs/D/Test: permission denied"

Then at this time, i can't propose ssh service for anyone except with the root account ?

Please heeeelllllp

ps: where the command chsh put the default shell fro the user ?

RE: ssh access problems (Rodney)

Wed, 29 Dec 2004 14:46:11 GMT

> sorry for my bad english.

Not a problem. My other languages are much poorer than your English!

> And i have not any log in /var/adm/log/* (all empty except init.log) ?
> sorry, i just see that is disabled in /etc/init.d/syslog

Yes, by default syslogd is disabled.
There is a special section on the syslogd manual page explaining
how to activate it.

> With a new local account and the home folder configured or not, i have a "permission denied" too.
> in this case is it possible to prefix the account with the machine name ?

You can always give what is called a Fully Qualified Username (FQUN).
The syntax is "domainname+username" (that is a literal "+" there).
The domainname for a local workstation is usually the same as the machinename.

> the error is "Could not chdir to home directory /net/myserver/users/myuser: permission denied.

The user's account does not have permissions on it's token for network access.
It's the way it is right now. It would take a lot of work to change this so that the
SSH security doesn't get broken/compromised. It's a case of funding the work because it
will take a non-trivial amount of time & effort.

ssh access problems (ncx)

Wed, 29 Dec 2004 13:11:38 GMT

sorry for my bad english.

after the installation of the openssh 3.9 (on w2K domain member server), i can open an ssh session with root account. But with a domain account, the error is "Could not chdir to home directory /net/myserver/users/myuser: permission denied.
With a new local account and the home folder configured or not, i have a "permission denied" too. in this case is it possible to prefix the account with the machine name ?

And i have not any log in /var/adm/log/* (all empty except init.log) ?
sorry, i just see that is disabled in /etc/init.d/syslog