On Sat, Feb 13, 2016 at 8:29 PM, David Willis wrote: > Hmm, storing the password in the registry would probably not be optimal... I > would probably rather deal with lack of network share access from SSH > sessions than store a plaintext password (haven't tested it so I can't say > for sure, but since I see no mention of encrypting or hashing the password > I'm guessing it is stored in plaintext)...
It is encrypted, but since cygwin needs to be able to use that password to authenticate against Windows processes for the network authentication, it is a reversible encryption, so it would be relatively easy for a determined attacker to code their own reversal of the encryption. The full doc calls it obfuscation to avoid confusion with the usual one way encryption done on passwords. I have not looked at where in the registry it is stored or what the permissions on those keys are, but I would assume local admin privilege is required to access it since the doc also states users can't save the password if the cygwin processes are not running and cyg_server requires local admin; logical extension, since the process already requires local admin, make local admin required to read the encrypted saved passwords. (Again, this is my assumption; I have not looked it up). > For authenticated access within a session, I would think it would be better > if the user was prompted to enter their password when attempting to access a > share, similar to what happens when attempting to access a share via Windows > Explorer (if you don't already have access with your currently logged on > credentials). I think based on everything I've found out this would be the > best solution to this scenario for SSH users that log in using key > authentication. "best", possibly, though may or may not be feasible, and "best" is often very subjective. Also would reduce the "Linux look and feel" that is one of the goals on cygwin. > And to your second point, that is also what I would expect, is that if > anything there would be NO network access, rather than access based on the > account that the sshd process is running as, regardless of its access. > However what I gathered from Achim's message is that the access level of > cyg_server is precisely the reason the user would have network share access > with that account's privileges. Yes... I was very surprised to say the least that I could access the c$ admin share with a non-admin account... that opens things like replacing core OS files very easily to anyone who authenticates with a public key. -- Erik -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
