Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.
>> If you allow users to login without passwords in that way, once that >> package is on the system it's a potential wide open security hole... > > Yes, unfortunately. IIRC there were also other issues, like breaking > compatibility with the way cygwin currently handles user groups. > > I guess a secure SSH server would have to pass the public key to the > authentication module, which would have to verify it against the user's > private key, which would have to be stored in a secure location. The authentication module could just check if the calling process has enough priveleges to use NtCreateToken() and impersonate an user via the obtained access token - that is, if the process can make use of the currently used (in CygWin) "broken" impersonation. If this is the case, the authentication module could safely proceed with doing whatever is needed for "normal", non-broken impersonation. Pavel Goran