Hi,
the following patch removes some of the Cygwin specific code from
OpenSSH.
Since Cygwin is able to change the user context on NT/W2K even without
a password since the new Cygwin version 1.3.2, there's no need anymore
to allow changing the user context only if the sshd user is the same
user as the one which logs in or when a password is given.
For that reason the whole function `check_nt_auth' and all code which
uses it, is completey dropped in the following patch.
Index: auth1.c
==================================================================RCS file:
/cvs/openssh_cvs/auth1.c,v
retrieving revision 1.40
diff -u -p -r1.40 auth1.c
--- auth1.c 2001/03/24 00:37:59 1.40
+++ auth1.c 2001/05/23 09:40:49
@@ -313,14 +313,7 @@ do_authloop(Authctxt *authctxt)
fatal("INTERNAL ERROR: authenticated invalid user %s",
authctxt->user);
-#ifdef HAVE_CYGWIN
- if (authenticated &&
- !check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD,pw->pw_uid)) {
- packet_disconnect("Authentication rejected for uid %d.",
- (int)pw->pw_uid);
- authenticated = 0;
- }
-#else
+#ifndef HAVE_CYGWIN
/* Special handling for root */
if (authenticated && authctxt->pw->pw_uid == 0 &&
!auth_root_allowed(get_authname(type)))
Index: auth2.c
==================================================================RCS file:
/cvs/openssh_cvs/auth2.c,v
retrieving revision 1.59
diff -u -p -r1.59 auth2.c
--- auth2.c 2001/04/25 12:44:15 1.59
+++ auth2.c 2001/05/23 09:40:49
@@ -354,10 +354,6 @@ userauth_none(Authctxt *authctxt)
if (authctxt->valid == 0)
return(0);
-#ifdef HAVE_CYGWIN
- if (check_nt_auth(1, authctxt->pw->pw_uid) == 0)
- return(0);
-#endif
#ifdef USE_PAM
return auth_pam_password(authctxt->pw, "");
#elif defined(HAVE_OSF_SIA)
@@ -380,9 +376,6 @@ userauth_passwd(Authctxt *authctxt)
password = packet_get_string(&len);
packet_done();
if (authctxt->valid &&
-#ifdef HAVE_CYGWIN
- check_nt_auth(1, authctxt->pw->pw_uid) &&
-#endif
#ifdef USE_PAM
auth_pam_password(authctxt->pw, password) == 1)
#elif defined(HAVE_OSF_SIA)
@@ -418,10 +411,6 @@ userauth_kbdint(Authctxt *authctxt)
#endif
xfree(lang);
xfree(devs);
-#ifdef HAVE_CYGWIN
- if (check_nt_auth(0, authctxt->pw->pw_uid) == 0)
- return(0);
-#endif
return authenticated;
}
@@ -524,10 +513,6 @@ userauth_pubkey(Authctxt *authctxt)
debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated,
pkalg);
xfree(pkalg);
xfree(pkblob);
-#ifdef HAVE_CYGWIN
- if (check_nt_auth(0, authctxt->pw->pw_uid) == 0)
- return(0);
-#endif
return authenticated;
}
Index: openbsd-compat/bsd-cygwin_util.c
==================================================================RCS file:
/cvs/openssh_cvs/openbsd-compat/bsd-cygwin_util.c,v
retrieving revision 1.4
diff -u -p -r1.4 bsd-cygwin_util.c
--- openbsd-compat/bsd-cygwin_util.c 2001/04/13 14:28:42 1.4
+++ openbsd-compat/bsd-cygwin_util.c 2001/05/23 09:40:50
@@ -54,22 +54,6 @@ int binary_pipe(int fd[2])
return ret;
}
-int check_nt_auth(int pwd_authenticated, uid_t uid)
-{
- /*
- * The only authentication which is able to change the user
- * context on NT systems is the password authentication. So
- * we deny all requsts for changing the user context if another
- * authentication method is used.
- * This may change in future when a special openssh
- * subauthentication package is available.
- */
- if (is_winnt && !pwd_authenticated && geteuid() != uid)
- return 0;
-
- return 1;
-}
-
int check_ntsec(const char *filename)
{
char *cygwin;
Index: openbsd-compat/bsd-cygwin_util.h
==================================================================RCS file:
/cvs/openssh_cvs/openbsd-compat/bsd-cygwin_util.h,v
retrieving revision 1.4
diff -u -p -r1.4 bsd-cygwin_util.h
--- openbsd-compat/bsd-cygwin_util.h 2001/04/13 14:28:43 1.4
+++ openbsd-compat/bsd-cygwin_util.h 2001/05/23 09:40:50
@@ -24,7 +24,6 @@
int binary_open(const char *filename, int flags, ...);
int binary_pipe(int fd[2]);
-int check_nt_auth(int pwd_authenticated, uid_t uid);
int check_ntsec(const char *filename);
#define open binary_open
Corinna
--
Corinna Vinschen
Cygwin Developer
Red Hat, Inc.
mailto:vinschen at redhat.com