This is the mail archive of the cygwin-developers@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

RE: Subauthentication


> I have one concern: does subauthentication require access
> to the PDC for domain users?

Yes. The subauthentication dll would have to be installed on a domain
controller. I suppose that's almost never
going to be the case. So it's only going to work for local users.

> I would prefer keeping it that way, thus possibly skipping the
> call to subauth when setgroups has been called (ftpd, telnetd,
> sshd do not call setgroups, AFAIK). It is also unlikely that
> the token created by subauth would match the groups specified
> by setgroups.

Couldn't we just always call subauth and just check if it was successful?
That way, a user could install the cygwin subauthentication module on
whatever machine he needs to.
If subauth is successful, we let verify_token decide whether to use the
subauth token or to call create_token, but at least have create_token use
the subauth token's logon session id.

Like in the following algorithm:

// Always call subauthentication. If a subauth dll is installed (either
locally or on the PDC),
// it will succeed. Otherwise, it will fail

SubauthToken = CallSubauthentication(...);

// Check if subauthentication was successful
if(IsValidToken(SubauthToken))
{
  if(verify_token(SubauthToken))
    // Use subauthentication token
    NewToken = SubauthToken
  else
    // Call NtCreateToken, but use SubauthToken's logon session id
    NewToken = create_token(SubauthToken.LogonSessionId, ...);
}
else
{
    // Call NtCreateToken and use current logon session id
    NewToken = create_token(CurrentLogonSessionId, ...);
}


Hartmut


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]