This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

RESOLVED: Problem configuring ssh with public key Authentication - help!


Hello,

Just wanted to say thanks for all your responses to my initial email.  In
the end, it was just a matter of adding the sshd windows user to the
'Administrators' group.  I found this in an earlier post on this topic (any
chance of having this info added to the faq?).

Special thanks to Mark de Jong for the simple instructions!

Warm Regards,
Ken


SSHD, Cygwin and Windows 2003

From: Mark J de Jong <dejongm at secdog dot com> 
To: cygwin at cygwin dot com 
Date: 15 Sep 2003 15:29:48 -0400 
Subject: SSHD, Cygwin and Windows 2003 

----------------------------------------------------------------------------
----

Hello,
I've looked and couldn't find decent docs on this so for those of you
who are lookin', this is a quick howto on how to setup the
Cygwin/OpenSSH daemon on M$ Windows 2003. This will fix the passwordless
(ssh key) login issue.

1. Install Cygwin with the openssh binaries....
2. After completing the Cygwin setup, goto the cygwin command prompt and
type 'ssh-host-config'
3. Answer 'y' when asked if you want to sshd with privilege separation.
4. Answer 'y' when asked if user sshd should be created by the script.
5. Answer 'y' when asked if you want sshd to be created as a service.
6. Create a new windows user named "sshdproc" or whatever you wish the
sshd process account username to be. If you happen to notice the sshd
user being disabled, don't enable it!
7. Place the sshdproc user in the "Administrators" group.
8. Give the sshdproc user the following system rights:
	* Create a token object
	* Log on as a service
	* Replace a process level token

	And for security.....
	* Deny log on locally
	* Deny access to this computer from the network

9. Reconfigure the "CYGWIN sshd service" to run as the new "sshdproc"
user.
10. At the cygwin command prompt type 'mkpasswd -l |grep sshdproc >>
/etc/passwd <enter>'
11. Type 'touch /var/log/sshd.log <enter>'
12. Type 'chmod 644 /var/log/sshd.log <enter>'
11. Type 'chown sshdproc /var/empty /var/log/sshd.log /etc/ssh_*
<enter>'
12. Type 'cygrunsrv --start sshd <enter>'

That should be it.. Hope this helps! :)

Best,
Mark J. de Jong



-----Original Message-----
From: Leong, Kenneth (HEALTH) [mailto:Kenneth.Leong@health.sa.gov.au] 
Sent: Monday, 9 August 2004 5:57 PM
To: 'cygwin@cygwin.com'
Subject: Problem configuring ssh with public key Authentication - help!


Hi all,

After spending several hours trying to get unattended ssh to work, I have
run into a brick wall and would like to know if anybody can help me out.  I
think the solution is just a configuration setting, but its got me quite
stumped (even after Googling around).

Scenario - ultimately, would like to use SSH from a unix box (Solaris 9) to
run a script on a Windows Server 2003 box with Cygwin (1.5.10) installed.

I am able to ssh and execute a script (runme.sh) on the win box from the
unix box with *password* authentication, no problem.  However, when I try
public key authentication (putting private key file in the ~/.ssh directory
on the unix box and adding the corresponding public key in the
~/.ssh/authorized_keys file on the Windows/Cygwin box), the script does not
execute on the win box.

According to the debug (attached), there does not appear to be anything
wrong with with private/public key authentication - and in fact, the
runme.sh script does apparently get called.  The only tell tale sign seems
to be an exit code of 255 (rather than 0).  Has anybody experienced this
before and know how to fix it?

I have included the following attachments:
1) debug from password authentication (this works fine)
2) debug from public key authentication (note the exit code)
3) sshd_config file on Windows/Cygwin box (pretty much out-of-the-box)
4) various directory/file permissions (I've read widely that these can be a
problem)

Any help is greatly appreciated!

TIA,
Ken


1) Password Authentication debug
# ssh -v -v -v -l myLogin winServerName ". runme.sh"
SSH Version Sun_SSH_1.0, protocol versions 1.5/2.0.
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: ssh_connect: getuid 0 geteuid 0 anon 0
debug1: Connecting to winServerName [winServerIP] port 22.
debug1: Allocated local port 964.
debug1: Connection established.
debug1: identity file //.ssh/identity type 3
debug1: identity file //.ssh/id_rsa type 3
debug1: identity file //.ssh/id_dsa type 3
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.8.1p1
debug1: match: OpenSSH_3.8.1p1 pat ^OpenSSH
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-Sun_SSH_1.0
debug1: sent kexinit: diffie-hellman-group1-sha1
debug1: sent kexinit: ssh-rsa,ssh-dss
debug1: sent kexinit: aes128-cbc,blowfish-cbc,3des-cbc,rijndael128-cbc
debug1: sent kexinit: aes128-cbc,blowfish-cbc,3des-cbc,rijndael128-cbc
debug1: sent kexinit: hmac-sha1,hmac-md5
debug1: sent kexinit: hmac-sha1,hmac-md5
debug1: sent kexinit: none
debug1: sent kexinit: none
debug1: sent kexinit:
/en_AU.ISO8859-1/en_AU.ISO8859-1/en_AU.ISO8859-1/en_AU.ISO
8859-1/en_AU.ISO8859-1/C
debug1: sent kexinit:
/en_AU.ISO8859-1/en_AU.ISO8859-1/en_AU.ISO8859-1/en_AU.ISO
8859-1/en_AU.ISO8859-1/C
debug1: send KEXINIT
debug1: done
debug1: wait KEXINIT
debug1: got kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sh
a1
debug1: got kexinit: ssh-rsa,ssh-dss
debug1: got kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192
-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug1: got kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192
-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug1: got kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.co
m,hmac-sha1-96,hmac-md5-96
debug1: got kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.co
m,hmac-sha1-96,hmac-md5-96
debug1: got kexinit: none,zlib
debug1: got kexinit: none,zlib
debug1: got kexinit:
debug1: got kexinit:
debug1: first kex follow: 0
debug1: reserved: 0
debug1: done
debug2: mac_init: found hmac-sha1
debug1: kex: server->client unable to decide common locale
debug1: kex: server->client aes128-cbc hmac-sha1 none
debug2: mac_init: found hmac-sha1
debug1: kex: client->server unable to decide common locale
debug1: kex: client->server aes128-cbc hmac-sha1 none
debug1: Sending SSH2_MSG_KEXDH_INIT.
debug1: bits set: 519/1024
debug1: Wait SSH2_MSG_KEXDH_REPLY.
debug1: Got SSH2_MSG_KEXDH_REPLY.
debug1: Host 'winServerName' is known and matches the RSA host key.
debug1: Found key in //.ssh/known_hosts:1
debug1: bits set: 522/1024
debug1: ssh_rsa_verify: signature correct
debug1: Wait SSH2_MSG_NEWKEYS.
debug1: GOT SSH2_MSG_NEWKEYS.
debug1: send SSH2_MSG_NEWKEYS.
debug1: done: send SSH2_MSG_NEWKEYS.
debug1: done: KEX2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug3: input_userauth_banner
Hello from winServerName!
debug1: authentications that can continue:
publickey,password,keyboard-interacti
ve
debug3: start over, passed a different list
debug3: authmethod_lookup publickey
debug3: authmethod_is_enabled publickey
debug1: next auth method to try is publickey
debug1: key does not exist: //.ssh/identity
debug1: key does not exist: //.ssh/id_rsa
debug1: key does not exist: //.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: authmethod_lookup password
debug3: authmethod_is_enabled password
debug1: next auth method to try is password myLogin@winServerName's
password:
debug2: we sent a password packet, wait for reply
debug1: ssh-userauth2 successfull: method password
debug1: channel 0: new [client-session]
debug1: send channel open 0
debug1: Entering interactive session.
debug2: callback start
debug1: client_init id 0 arg 0
debug1: Sending command: . runme.sh
debug2: callback done
debug1: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel 0: rcvd adjust 131072
debug1: channel: 0 rcvd request for exit-status
debug1: cb_fn 267a4 cb_event 91
debug1: channel 0: rcvd eof
debug1: channel 0: output open->drain
debug1: channel 0: rcvd close
debug1: channel 0: input open->closed
debug1: channel 0: close_read
debug1: channel 0: obuf empty
debug1: channel 0: output drain->closed
debug1: channel 0: close_write
debug1: channel 0: send close
debug1: channel 0: full closed2
debug1: channel_free: channel 0: status: The following connections are open:
  #0 client-session (t4 r0 i8/0 o128/0 fd -1/-1)

debug1: channel_free: channel 0: dettaching channel user
debug2: !channel_still_open.
debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.2 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0
debug1: Exit status 0


2) Public Key authentication debug
# ssh -v -v -v -l myLogin winServerName ". runme.sh"
SSH Version Sun_SSH_1.0, protocol versions 1.5/2.0.
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: ssh_connect: getuid 0 geteuid 0 anon 0
debug1: Connecting to winServerName [winServerIP] port 22.
debug1: Allocated local port 965.
debug1: Connection established.
debug1: identity file //.ssh/identity type 3
debug1: Bad RSA1 key file //.ssh/id_rsa.
debug1: identity file //.ssh/id_rsa type 3
debug1: identity file //.ssh/id_dsa type 3
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.8.1p1
debug1: match: OpenSSH_3.8.1p1 pat ^OpenSSH
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-Sun_SSH_1.0
debug1: sent kexinit: diffie-hellman-group1-sha1
debug1: sent kexinit: ssh-rsa,ssh-dss
debug1: sent kexinit: aes128-cbc,blowfish-cbc,3des-cbc,rijndael128-cbc
debug1: sent kexinit: aes128-cbc,blowfish-cbc,3des-cbc,rijndael128-cbc
debug1: sent kexinit: hmac-sha1,hmac-md5
debug1: sent kexinit: hmac-sha1,hmac-md5
debug1: sent kexinit: none
debug1: sent kexinit: none
debug1: sent kexinit:
/en_AU.ISO8859-1/en_AU.ISO8859-1/en_AU.ISO8859-1/en_AU.ISO
8859-1/en_AU.ISO8859-1/C
debug1: sent kexinit:
/en_AU.ISO8859-1/en_AU.ISO8859-1/en_AU.ISO8859-1/en_AU.ISO
8859-1/en_AU.ISO8859-1/C
debug1: send KEXINIT
debug1: done
debug1: wait KEXINIT
debug1: got kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sh
a1
debug1: got kexinit: ssh-rsa,ssh-dss
debug1: got kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192
-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug1: got kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192
-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug1: got kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.co
m,hmac-sha1-96,hmac-md5-96
debug1: got kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.co
m,hmac-sha1-96,hmac-md5-96
debug1: got kexinit: none,zlib
debug1: got kexinit: none,zlib
debug1: got kexinit:
debug1: got kexinit:
debug1: first kex follow: 0
debug1: reserved: 0
debug1: done
debug2: mac_init: found hmac-sha1
debug1: kex: server->client unable to decide common locale
debug1: kex: server->client aes128-cbc hmac-sha1 none
debug2: mac_init: found hmac-sha1
debug1: kex: client->server unable to decide common locale
debug1: kex: client->server aes128-cbc hmac-sha1 none
debug1: Sending SSH2_MSG_KEXDH_INIT.
debug1: bits set: 476/1024
debug1: Wait SSH2_MSG_KEXDH_REPLY.
debug1: Got SSH2_MSG_KEXDH_REPLY.
debug1: Host 'winServerName' is known and matches the RSA host key.
debug1: Found key in //.ssh/known_hosts:1
debug1: bits set: 519/1024
debug1: ssh_rsa_verify: signature correct
debug1: Wait SSH2_MSG_NEWKEYS.
debug1: GOT SSH2_MSG_NEWKEYS.
debug1: send SSH2_MSG_NEWKEYS.
debug1: done: send SSH2_MSG_NEWKEYS.
debug1: done: KEX2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug3: input_userauth_banner
Hello from winServerName!
debug1: authentications that can continue:
publickey,password,keyboard-interacti
ve
debug3: start over, passed a different list
debug3: authmethod_lookup publickey
debug3: authmethod_is_enabled publickey
debug1: next auth method to try is publickey
debug1: key does not exist: //.ssh/identity
debug1: try pubkey: //.ssh/id_rsa
debug1: read SSH2 private key done: name rsa w/o comment success 1
debug3: sign_and_send_pubkey
debug2: ssh_rsa_sign: done
debug2: we sent a publickey packet, wait for reply
debug1: ssh-userauth2 successfull: method publickey
debug1: channel 0: new [client-session]
debug1: send channel open 0
debug1: Entering interactive session.
debug2: callback start
debug1: client_init id 0 arg 0
debug1: Sending command: . runme.sh
debug2: callback done
debug1: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel 0: rcvd adjust 131072
debug1: channel 0: rcvd eof
debug1: channel 0: output open->drain
debug1: channel 0: obuf empty
debug1: channel 0: output drain->closed
debug1: channel 0: close_write
debug1: channel: 0 rcvd request for exit-status
debug1: cb_fn 267a4 cb_event 91
debug1: channel 0: rcvd close
debug1: channel 0: input open->closed
debug1: channel 0: close_read
debug1: channel 0: send close
debug1: channel 0: full closed2
debug1: channel_free: channel 0: status: The following connections are open:
  #0 client-session (t4 r0 i8/0 o128/0 fd -1/-1)

debug1: channel_free: channel 0: dettaching channel user
debug2: !channel_still_open.
debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.2 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0
debug1: Exit status 255


3) contents of sshd_config file
#       $OpenBSD: sshd_config,v 1.68 2003/12/29 16:39:50 millert Exp $

# This is the sshd server system-wide configuration file.  See #
sshd_config(5) for more information.

# This sshd was compiled with PATH=/bin:/usr/sbin:/sbin:/usr/bin

# The strategy used for options in the default sshd_config shipped with #
OpenSSH is to specify options with their default value where # possible, but
leave them commented.  Uncommented options change a # default value.

Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh_host_rsa_key
#HostKey /etc/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h #ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
StrictModes no

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile     .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh_known_hosts
#RhostsRSAAuthentication no # similar for protocol version 2
#HostbasedAuthentication no # Change to yes if you don't trust
~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication
IgnoreUserKnownHosts yes # Don't read the user's ~/.rhosts and ~/.shosts
files IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes #PermitEmptyPasswords no

# Change to no to disable s/key passwords #ChallengeResponseAuthentication
yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication (via challenge-response) #
and session processing. Depending on your PAM configuration, this may #
bypass the setting of 'PasswordAuthentication' and 'PermitEmptyPasswords'
#UsePAM no

#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10

# no default banner path
Banner /etc/banner.txt

# override default of no subsystems
#Subsystem      sftp    /usr/sbin/sftp-server


4)  various file/directory permissions
myLogin@winServerName /home
$ ls -la
total 0
drwxrwxrwx+   3 Administ Domain U        0 Jul 29 11:08 .
drwxrwx---+   9 Administ Users           0 Jul 29 14:11 ..
drwxr-xr-x+   3 Administ Domain U        0 Aug  9 15:33 myLogin

myLogin@winServerName ~
$ ls -la
total 6
drwxr-xr-x+   3 Administ Domain U        0 Aug  9 15:33 .
drwxrwxrwx+   3 Administ Domain U        0 Jul 29 11:08 ..
-rw-------    1 Administ Domain U      638 Aug  9 16:09 .bash_history
-rwxr-xr-x    1 Administ Domain U      533 Jul 29 11:08 .bash_profile
-rwxr-xr-x    1 Administ Domain U      625 Jul 29 11:08 .bashrc
-rwxr-xr-x    1 Administ Domain U      267 Jul 29 11:08 .inputrc
drwxr-xr-x+   2 Administ Domain U        0 Aug  9 15:33 .ssh
-rwxr-xr-x    1 Administ Domain U       15 Aug  9 11:00 runme.sh
-rw-r--r--    1 Administ Domain U        6 Aug  9 16:10 test.txt

myLogin@winServerName ~/.ssh
$ ls -la
total 1
drwxr-xr-x+   2 Administ Domain U        0 Aug  9 15:33 .
drwxr-xr-x+   3 Administ Domain U        0 Aug  9 15:33 ..
-rw-r--r--    1 Administ Domain U      222 Aug  9 09:59 authorized_keys

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]