This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: sshd+ssh localhost connects, but don't reach the shell


Vilar Camara wrote:
[snip]
> Now that's strange: in that verbose list there is no program listening
> on port 22.  The only reference to sshd is in the following block:
> 
>  UDP    127.0.0.1:2186         *:*                                    2848
>  C:\WINDOWS\system32\ZoneLabs\vetredir.dll
>  C:\WINDOWS\system32\imslsp.dll
>  C:\WINDOWS\system32\ws2_32.dll
>  C:\cygwin\bin\cygwin1.dll
>  [sshd.exe]
> 
> The first DLL is a ZoneAlarm (firewall) one. This is curious, because
> that DLL is around even if the firewall is off. (The service related to
> ZA's firewall is called "TrueVector" and it is stopped in the Services
> list.) The port (2186) varies from run to run.

Your test is better that mine, when I tried 'netstat -anbv | grep -B 4 -A 2
"ssh"' I got:

...
>   TCP    0.0.0.0:22             0.0.0.0:0              LISTENING       2000
>   [sshd.exe]
...
> --
> 
>   UDP    127.0.0.1:1051         *:*                                    2000
>   C:\WINDOWS\system32\ws2_32.dll
>   C:\Cygwin\bin\cygwin1.dll
>   C:\cygwin\usr\sbin\sshd.exe
>   -- unknown component(s) --
>   C:\WINDOWS\system32\kernel32.dll
>   [sshd.exe]

So the difference is very significant: sshd was not able to bind to port 22, we
don't really know what program is listening to that port, and the UDP port is
probably used by cygrunsvr (the program used to control sshd as service --
that's how services are installed under Cygwin)... and there is the dreaded
firewall dll.

> But it appears in: netstat -an | grep ":22"
> 
>  TCP    0.0.0.0:22             0.0.0.0:0              LISTENING
> 
> Not all entries listed by -an appear on -anbv.

Perhaps the firewall is using some stealth trick, I don't know.

>> Also check: ps -a | grep sshd
>> before and during a test.  Is the UID 18? does the process have any
>> suspend flags?
> 
> Changed to "ps -a | grep ssh" to include the client.
> Before test:
> 
>     3676     436    3676       2392    ?   18 17:52:14 /usr/sbin/sshd
> 
> During test:
> 
>     3676     436    3676       2392    ?   18 17:52:14 /usr/sbin/sshd
> I    4060     604    4060       2512    0 1003 17:54:12 /usr/bin/ssh
>     1560    3676    1560       2812    ?   18 17:54:12 /usr/sbin/sshd
> 
> That "I" on the client is significant, but as far as we've been
> discussing this is somewhat expected (but not desired :-( ).

It is bad, but it is as we suspected: the client is connected to something and
it is waiting for input.  I think it is not connected to the sshd server but
something that passes the connection later to sshd which spawns the 2nd sshd
that should continue using another port... and that probably never happens so
the client is kept waiting.

[snip]
> It can't proceed: it stops after the message "strace: couldn't attach to
> pid 3844 for debugging".

3844?  You mean 1560 or you are reporting about two different tests.

> Doing strace to the original sshd.exe (the non-spawned one) reveals that
> tons of things happen when I run "ssh localhost", but I can't interpret
> all those gibberish output.

Not gibberish, probably Windows function calls (OK, close to gibberish) but the
main server is not interesting, it just spawns the real server.

> After all, I'm really suspicious about that ZoneAlarm DLL. But I think I
> can only purge it if I uninstall the firewall. Oh my.

Mmmm, OK everyone in favor of "Nuke the firewall" raise their hands :-)

Just kidding!  Do both of your computers have the same firewall?
-- 
René Berber


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]