Problems with ssh connection
I have Cygwin installed on a couple of servers in a domain environment. Of all machines regular user accounts can ssh to only one box. Once installed I configured Cygwin using the following in a .bat file. c:\cygwin\bin\bash --login -c "chmod +r /etc/passwd" c:\cygwin\bin\bash --login -c "chmod u+w /etc/passwd" c:\cygwin\bin\bash --login -c "chmod +r /etc/group" c:\cygwin\bin\bash --login -c "chmod u+w /etc/group" c:\cygwin\bin\bash --login -c "chown -R domain_account /var/empty" c:\cygwin\bin\bash --login -c "chmod 755 /var/empty" c:\cygwin\bin\bash --login -c "chown domain_account /etc/ssh*" c:\cygwin\bin\bash --login -c "chmod 755 /var/" c:\cygwin\bin\bash --login -c "touch /var/log/sshd.log" c:\cygwin\bin\bash --login -c "chown domain_account /var/log/sshd.log" c:\cygwin\bin\bash --login -c "chmod 664 /var/log/sshd.log" c:\cygwin\bin\bash --login -c "editrights -l -u domain_account" c:\cygwin\bin\bash --login -c "editrights -a SeAssignPrimaryTokenPrivilege -u domain_account" c:\cygwin\bin\bash --login -c "editrights -a SeCreateTokenPrivilege -u domain_account" c:\cygwin\bin\bash --login -c "editrights -a SeTcbPrivilege -u domain_account" c:\cygwin\bin\bash --login -c "editrights -a SeServiceLogonRight -u domain_account" c:\cygwin\bin\bash --login -c "editrights -l -u domain_account" c:\cygwin\bin\bash --login -c "/bin/ssh-host-config -y -c ntsec -u domain_account -w “password" Somehow the permissions on the sshd_config file are diferent on the box where the sftp connection works -rw-r--r-- 1 my_domain_account root 3679 Jul 24 12:44 /etc/sshd_config where on all others I see -rw-r--r-- 1 domain_account Administrators 3584 Jul 26 20:51 /etc/sshd_config where the domain_account is the account under which the Cygwin service is running. When checking NTFS permissions I see in both cases the domain_account as the owner. I read somewhere that I need to run chown root:system /etc/password to fix the permissions but the account reports as invalid. Same if I try just root or just system. Am I even close focusing on the permissions of sshd_config? No idea why they're different. I think I used the same method on all servers but there were not installed at the same time so it's possible I messed something up. I don't want to break the working box keeping it as a reference. On others I noticed that a regular domain user can connect when their accounts get added to local admins which is what I would like to avoid. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: Problems with ssh connection
On 2015-08-17 21:39, yaro...@hotmail.com wrote: I have Cygwin installed on a couple of servers in a domain environment. Of all machines regular user accounts can ssh to only one box. Once installed I configured Cygwin using the following in a .bat file. c:\cygwin\bin\bash --login -c "chmod +r /etc/passwd" c:\cygwin\bin\bash --login -c "chmod u+w /etc/passwd" c:\cygwin\bin\bash --login -c "chmod +r /etc/group" c:\cygwin\bin\bash --login -c "chmod u+w /etc/group" c:\cygwin\bin\bash --login -c "chown -R domain_account /var/empty" c:\cygwin\bin\bash --login -c "chmod 755 /var/empty" c:\cygwin\bin\bash --login -c "chown domain_account /etc/ssh*" c:\cygwin\bin\bash --login -c "chmod 755 /var/" c:\cygwin\bin\bash --login -c "touch /var/log/sshd.log" c:\cygwin\bin\bash --login -c "chown domain_account /var/log/sshd.log" c:\cygwin\bin\bash --login -c "chmod 664 /var/log/sshd.log" c:\cygwin\bin\bash --login -c "editrights -l -u domain_account" c:\cygwin\bin\bash --login -c "editrights -a SeAssignPrimaryTokenPrivilege -u domain_account" c:\cygwin\bin\bash --login -c "editrights -a SeCreateTokenPrivilege -u domain_account" c:\cygwin\bin\bash --login -c "editrights -a SeTcbPrivilege -u domain_account" c:\cygwin\bin\bash --login -c "editrights -a SeServiceLogonRight -u domain_account" c:\cygwin\bin\bash --login -c "editrights -l -u domain_account" c:\cygwin\bin\bash --login -c "/bin/ssh-host-config -y -c ntsec -u domain_account -w “password" Somehow the permissions on the sshd_config file are diferent on the box where the sftp connection works -rw-r--r-- 1 my_domain_account root 3679 Jul 24 12:44 /etc/sshd_config where on all others I see -rw-r--r-- 1 domain_account Administrators 3584 Jul 26 20:51 /etc/sshd_config where the domain_account is the account under which the Cygwin service is running. When checking NTFS permissions I see in both cases the domain_account as the owner. I read somewhere that I need to run chown root:system /etc/password to fix the permissions but the account reports as invalid. Same if I try just root or just system. Am I even close focusing on the permissions of sshd_config? No idea why they're different. I think I used the same method on all servers but there were not installed at the same time so it's possible I messed something up. I don't want to break the working box keeping it as a reference. On others I noticed that a regular domain user can connect when their accounts get added to local admins which is what I would like to avoid. The permissions on the box that works was a false route as I found another folder with cygwin in the root of C: probably some old install. The cygwin service however points to the one I installed and when a non-admin user connects via sftp that's where they go. Interestingly the user I spoke to when testing isn't even listed in the passwd file which is indeed how it's supposed to work. For a test I enabled debugging on both a non-working and the reference server with sshd.exe -ddd and here are the results: sshd_BAD $ /usr/sbin/sshd.exe -ddd debug2: load_server_config: filename /etc/sshd_config debug2: load_server_config: done config len = 310 debug2: parse_server_config: config /etc/sshd_config len 310 debug3: /etc/sshd_config:54 setting AuthorizedKeysFile .ssh/authorized_keys debug3: /etc/sshd_config:110 setting UsePrivilegeSeparation yes debug3: /etc/sshd_config:126 setting Subsystem sftp /usr/sbin/sftp-server debug3: /etc/sshd_config:134 setting KexAlgorithms diffie-hellman-group-exchange -sha1,diffie-hellman-group1-sha1 debug3: kex names ok: [diffie-hellman-group-exchange-sha1,diffie-hellman-group1- sha1] debug1: sshd version OpenSSH_6.8, OpenSSL 1.0.2c 12 Jun 2015 debug1: private host key #0: ssh-rsa SHA256:cyhqUDzDQqpRdUnq9LM9gsrF1lAps77z8T+6 XGzUoPM debug1: private host key #1: ssh-dss SHA256:TvdQxsRU4heg4GJzMb02F6UNylL08eLcz70d s841a0o debug1: private host key #2: ecdsa-sha2-nistp256 SHA256:/Snnl/4giq+ll/tCefiA1Jov nP3blcjChmQ0WS74S6M debug1: private host key #3: ssh-ed25519 SHA256:gpGLcdqxU+D+gZiTp1Je5GRSfoEwFhw2 k2zWLIHe5zE debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-ddd' debug2: fd 3 setting O_NONBLOCK debug3: sock_set_v6only: set socket 3 IPV6_V6ONLY debug1: Bind to port 22 on ::. Server listening on :: port 22. debug2: fd 4 setting O_NONBLOCK debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. debug1: fd 5 clearing O_NONBLOCK debug1: Server will not fork when running in debugging mode. debug3: send_rexec_state: entering fd = 8 config len 310 debug3: ssh_msg_send: type 0 debug3: send_rexec_state: done debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8 debug1: inetd sockets after dupping: 3, 3 Connection from Client_IP port 58319 on 159.156.122.40 port 22 debug1: Client protocol version 2.0; client software version WinSCP_release_4.1.9 debug1: no match: WinSCP_release_4.1.9 debug1: Enabling compatibility mode for protocol 2.0 debug
Re: Problems with ssh connection
Looks like I hit a wall with this problem. I would appreciate if someone could help out with this issue. On 2015-08-17 21:39, yaro...@hotmail.com wrote: I have Cygwin installed on a couple of servers in a domain environment. Of all machines regular user accounts can ssh to only one box. Once installed I configured Cygwin using the following in a .bat file. c:\cygwin\bin\bash --login -c "chmod +r /etc/passwd" c:\cygwin\bin\bash --login -c "chmod u+w /etc/passwd" c:\cygwin\bin\bash --login -c "chmod +r /etc/group" c:\cygwin\bin\bash --login -c "chmod u+w /etc/group" c:\cygwin\bin\bash --login -c "chown -R domain_account /var/empty" c:\cygwin\bin\bash --login -c "chmod 755 /var/empty" c:\cygwin\bin\bash --login -c "chown domain_account /etc/ssh*" c:\cygwin\bin\bash --login -c "chmod 755 /var/" c:\cygwin\bin\bash --login -c "touch /var/log/sshd.log" c:\cygwin\bin\bash --login -c "chown domain_account /var/log/sshd.log" c:\cygwin\bin\bash --login -c "chmod 664 /var/log/sshd.log" c:\cygwin\bin\bash --login -c "editrights -l -u domain_account" c:\cygwin\bin\bash --login -c "editrights -a SeAssignPrimaryTokenPrivilege -u domain_account" c:\cygwin\bin\bash --login -c "editrights -a SeCreateTokenPrivilege -u domain_account" c:\cygwin\bin\bash --login -c "editrights -a SeTcbPrivilege -u domain_account" c:\cygwin\bin\bash --login -c "editrights -a SeServiceLogonRight -u domain_account" c:\cygwin\bin\bash --login -c "editrights -l -u domain_account" c:\cygwin\bin\bash --login -c "/bin/ssh-host-config -y -c ntsec -u domain_account -w “password" Somehow the permissions on the sshd_config file are diferent on the box where the sftp connection works -rw-r--r-- 1 my_domain_account root 3679 Jul 24 12:44 /etc/sshd_config where on all others I see -rw-r--r-- 1 domain_account Administrators 3584 Jul 26 20:51 /etc/sshd_config where the domain_account is the account under which the Cygwin service is running. When checking NTFS permissions I see in both cases the domain_account as the owner. I read somewhere that I need to run chown root:system /etc/password to fix the permissions but the account reports as invalid. Same if I try just root or just system. Am I even close focusing on the permissions of sshd_config? No idea why they're different. I think I used the same method on all servers but there were not installed at the same time so it's possible I messed something up. I don't want to break the working box keeping it as a reference. On others I noticed that a regular domain user can connect when their accounts get added to local admins which is what I would like to avoid. The permissions on the box that works was a false route as I found another folder with cygwin in the root of C: probably some old install. The cygwin service however points to the one I installed and when a non-admin user connects via sftp that's where they go. Interestingly the user I spoke to when testing isn't even listed in the passwd file which is indeed how it's supposed to work. For a test I enabled debugging on both a non-working and the reference server with sshd.exe -ddd and here are the results: sshd_BAD $ /usr/sbin/sshd.exe -ddd debug2: load_server_config: filename /etc/sshd_config debug2: load_server_config: done config len = 310 debug2: parse_server_config: config /etc/sshd_config len 310 debug3: /etc/sshd_config:54 setting AuthorizedKeysFile .ssh/authorized_keys debug3: /etc/sshd_config:110 setting UsePrivilegeSeparation yes debug3: /etc/sshd_config:126 setting Subsystem sftp /usr/sbin/sftp-server debug3: /etc/sshd_config:134 setting KexAlgorithms diffie-hellman-group-exchange -sha1,diffie-hellman-group1-sha1 debug3: kex names ok: [diffie-hellman-group-exchange-sha1,diffie-hellman-group1- sha1] debug1: sshd version OpenSSH_6.8, OpenSSL 1.0.2c 12 Jun 2015 debug1: private host key #0: ssh-rsa SHA256:cyhqUDzDQqpRdUnq9LM9gsrF1lAps77z8T+6 XGzUoPM debug1: private host key #1: ssh-dss SHA256:TvdQxsRU4heg4GJzMb02F6UNylL08eLcz70d s841a0o debug1: private host key #2: ecdsa-sha2-nistp256 SHA256:/Snnl/4giq+ll/tCefiA1Jov nP3blcjChmQ0WS74S6M debug1: private host key #3: ssh-ed25519 SHA256:gpGLcdqxU+D+gZiTp1Je5GRSfoEwFhw2 k2zWLIHe5zE debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-ddd' debug2: fd 3 setting O_NONBLOCK debug3: sock_set_v6only: set socket 3 IPV6_V6ONLY debug1: Bind to port 22 on ::. Server listening on :: port 22. debug2: fd 4 setting O_NONBLOCK debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. debug1: fd 5 clearing O_NONBLOCK debug1: Server will not fork when running in debugging mode. debug3: send_rexec_state: entering fd = 8 config len 310 debug3: ssh_msg_send: type 0 debug3: send_rexec_state: done debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8 debug1: inetd sockets after dupping: 3, 3 Connection from Client_IP port 58319 on 159.156.122.40 port 22 debug1: Client protocol version 2.0; client software version WinSCP_release_4.1.9 debug1: no match:
sshd and smart card support
After a lot of struggling with trying to get sshd work with regular domain accounts I found an alternative bit of software I then installed for a test. After a failed test, looking thrugh the logs of that ssh server I found an interesting piece of information possibly explaining why it wouldn't work with my initial setup. It turned up that all the domain accounts I used for testing have a requirement associated with the account AD object to use smart cards for logon pourposes. I never seen this mentioned in cygwin sshd logs as a reason for failed connection but only a statement that the logon name or password was incorrect. I don't suppose there is a workaround but maybe something worth implementing in sshd logs to cover this sort of scenerios as likely no one was expecting this to be causing access problems. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
