Hi, I just uploaded a cygwin-1.7.0-33 release which contains the new feature explained below.
For a long time we have the feature that you can use ssh or rsh or cron without password. But all methods which don't use a password have a major drawback: The user token has no credentials which allow the usual simple network access without additional hassle. This makes, for instance, automated remote scripting which need network access a rather painful experience. Interix, OTOH, has a command called `regpwd', which allows to specify a password for the current user, which then is stored in some hidden, obfuscated area in the registry (HKLM\SECURITY\Policy\Secrets). This same area in the registry is also used by the OS to store passowrds of accounts running Windows services. The latest changes I applied today add this ability to Cygwin as well. I'm only disappointed that it took me so long because the LSA functions to access this area are documented since ages and I've read the LSA docs a lot. Oh well. When a privileged process calls setuid/seteuid, Cygwin now first checks if a password has been stored for the uid given as argument. It checks in two locations, the one maintained by Cygwin as well as the one maintained by Interix. So, if your account has already a password stored by Interix' regpwd, you can just use it in Cygwin. If a password is found, it's used in a call to LogonUser. If this call succeeds, the token is used to switch the user context and you get all your usual network access "for free"(*). Otherwise Cygwin falls back to the other methods, LSA authentication using Cygwin's LSA authentication DLL, or using NtCreateToken as last resort. To store a password in the registry, use the new -R/--reg-store-pwd option to passwd(1). Note that storing a password in the registry this way is a privileged operation. It's only accessible to Administrators. When a normal user wants to store a password in the registry this way, a workaround is necessary. The workaround is cygserver running as privileged service. So, when cygserver is running, even a normal user can enter his/her password with bash$ CYGWIN=server passwd -R I also added the changes to passwd to the docs (which I uploaded to http://cygwin.com/1.7/cygwin-ug-net.html and http://cygwin.com/1.7/cygwin-ug-net/cygwin-ug-net.html), but there's still a lot missing in the ntsec documentation. Sorry about that. Have fun, Corinna (*) "for free" isn't quite right, of course. You're giving up on security. The passwords are stored two-way encrypted in a registry area only accessible to admins and the system. The Cygwin password is accessible only for local admins, not from remote as is the Interix password. However, if somebody gets admin access to your machine, you lost. OTOH, if somebody got admin access to your machine anyway, you probably have other, more pressing problems. -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat
