sshd not doing key based authentication

sshd not doing key based authentication

[Rurik Christiansen]

Hello,

 I'm trying to make sshd to do key based authentication.

I am guessing that is probably a problem of permissions but can't figure
it out.

All I found was this email:
http://cygwin.com/ml/cygwin/2008-11/msg00212.html
which basically says RTFM

Well, I did RTFM, I followed the instructions. all looks OK as far as I
can see but still no go.

Any better suggestions much appreciated.

(running on Windows 7)

Thanks.

Regards.

-- 
Nihil verus. Omnia possibilis.


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: sshd not doing key based authentication

[Andrey Repin]

Greetings, Rurik Christiansen!

>  I'm trying to make sshd to do key based authentication.

> I am guessing that is probably a problem of permissions but can't figure
> it out.

> All I found was this email:
> http://cygwin.com/ml/cygwin/2008-11/msg00212.html
> which basically says RTFM

> Well, I did RTFM, I followed the instructions. all looks OK as far as I
> can see but still no go.

> Any better suggestions much appreciated.

Read logs on both sides, of course.
The most common issue is access rights on key files.

> (running on Windows 7)


--
WBR,
Andrey Repin (anrdaemon@freemail.ru) 04.04.2012, <15:25>

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: sshd not doing key based authentication

[David Sastre Medina]

[-- Attachment #1: Type: text/plain, Size: 1040 bytes --]

On Wed, Apr 04, 2012 at 03:26:39PM +0400, Andrey Repin wrote:
> Greetings, Rurik Christiansen!
> > I'm trying to make sshd to do key based authentication.
> > I am guessing that is probably a problem of permissions but can't figure
> > it out.
> > All I found was this email:
> > http://cygwin.com/ml/cygwin/2008-11/msg00212.html
> > which basically says RTFM
> > Well, I did RTFM, I followed the instructions. all looks OK as far as I
> > can see but still no go.
> 
> Read logs on both sides, of course.
> The most common issue is access rights on key files.

Check for PubkeyAuthentication, StrictModes, AllowUsers, AllowGroups, 
AuthorizedKeysFile in the server side (whether they exist and how they are 
defined), read the manpage for detailed info on this options
(sshd_config(5)).
Try setting LogLevel to DEBUG.
Provide a 'ssh -vvv user@host' test connection.
You don't give enough info to figure out what the problem might be.

-- 
Primary key fingerprint: AD8F BDC0 5A2C FD5F A179  60E7 F79B AB04 5299 EC56

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 230 bytes --]

Re: sshd not doing key based authentication

[Rurik Christiansen]

David and Andrew thanks for your replies.

Yes I didn't provide enough details, David you are right. But ...

I was hoping more for some pointers to what the permissions must be and
then do the troubleshooting myself.

The "unix" side of permissions look ok.
I don't know what the windows side must be or if it matters.

The "ssh -vvv' (client side) has not been particularly helpful to me
when it comes to permissions.
and my understanding is that I can't run the sshd frontend without
screwing the permissions.

(the client sends the publickey packet and then jumps to next auth method)

Cheers.


On 4/04/2012 23:30, David Sastre Medina wrote:
> On Wed, Apr 04, 2012 at 03:26:39PM +0400, Andrey Repin wrote:
>> Greetings, Rurik Christiansen!
>>> I'm trying to make sshd to do key based authentication.
>>> I am guessing that is probably a problem of permissions but can't figure
>>> it out.
>>> All I found was this email:
>>> http://cygwin.com/ml/cygwin/2008-11/msg00212.html
>>> which basically says RTFM
>>> Well, I did RTFM, I followed the instructions. all looks OK as far as I
>>> can see but still no go.
>> Read logs on both sides, of course.
>> The most common issue is access rights on key files.
> Check for PubkeyAuthentication, StrictModes, AllowUsers, AllowGroups, 
> AuthorizedKeysFile in the server side (whether they exist and how they are 
> defined), read the manpage for detailed info on this options
> (sshd_config(5)).
> Try setting LogLevel to DEBUG.
> Provide a 'ssh -vvv user@host' test connection.
> You don't give enough info to figure out what the problem might be.
>

-- 
Nihil verus. Omnia possibilis.


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: sshd not doing key based authentication

[David Sastre Medina]

[-- Attachment #1: Type: text/plain, Size: 1011 bytes --]

(replying to the list, sorry if it breaks the thread)

On Thu, Apr 05, 2012 at 03:19:41PM +1000, Rurik Christiansen wrote:
> I was hoping more for some pointers to what the permissions must be and
> then do the troubleshooting myself.
> The "unix" side of permissions look ok.
> I don't know what the windows side must be or if it matters.
> The "ssh -vvv' (client side) has not been particularly helpful to me
> when it comes to permissions.
> and my understanding is that I can't run the sshd frontend without
> screwing the permissions.
> (the client sends the publickey packet and then jumps to next auth method)

How did you setup the server? IIRC, ssh-host-config complains if it
finds wrong perms.
How do you start the service? Is there something in /var/log/sshd.log
(provided you are logging there, and not elsewhere via syslog-ng or
other means).
You could also delete the service and recreate it.

-- 
Primary key fingerprint: AD8F BDC0 5A2C FD5F A179  60E7 F79B AB04 5299 EC56

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 230 bytes --]

Re: sshd not doing key based authentication

[Andrey Repin]

Greetings, Rurik Christiansen!

> The "ssh -vvv' (client side) has not been particularly helpful to me
> when it comes to permissions.

That's because server will not disclose any potential vulnerabilities to
client.

> and my understanding is that I can't run the sshd frontend without
> screwing the permissions.

I don't understand what you mean by this.

> (the client sends the publickey packet and then jumps to next auth method)

This looks exactly like wrong permissions on authorized_keys file, or
absence of it for particular user.

Also, please don't top-post.


--
WBR,
Andrey Repin (anrdaemon@freemail.ru) 06.04.2012, <02:42>

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: sshd not doing key based authentication

[Rurik Christiansen]

On 6/04/2012 08:44, Andrey Repin wrote:
> Greetings, Rurik Christiansen!

[...]

>> and my understanding is that I can't run the sshd frontend without
>> screwing the permissions.
> I don't understand what you mean by this.

From an earlier mail on this list:

http://cygwin.com/ml/cygwin/2008-11/msg00212.html

I cite:

"Ugh!  This suggests that you have not read OpenSSH readme in
/usr/share/doc/Cygwin.  You can't do this without screwing up all
the permissions on various directories and files that SSH checks
the permissions of."



>> (the client sends the publickey packet and then jumps to next auth method)
> This looks exactly like wrong permissions on authorized_keys file, or
> absence of it for particular user.

"Palm slap over forehead" :) ... Yes that was it.

> Also, please don't top-post.

Sorry, sometimes I forget to switch contexts :)

All the best and thanks

-- 
Nihil verus. Omnia possibilis.


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: sshd not doing key based authentication

[Thorsten Kampe]

* Rurik Christiansen (Tue, 10 Apr 2012 11:23:04 +1000)
> On 6/04/2012 08:44, Andrey Repin wrote:
> > Greetings, Rurik Christiansen!
> 
> [...]
> 
> >> and my understanding is that I can't run the sshd frontend without
> >> screwing the permissions.
> > I don't understand what you mean by this.
> 
> From an earlier mail on this list:
> 
> http://cygwin.com/ml/cygwin/2008-11/msg00212.html
> 
> I cite:
> 
> "Ugh!  This suggests that you have not read OpenSSH readme in
> /usr/share/doc/Cygwin.  You can't do this without screwing up all
> the permissions on various directories and files that SSH checks
> the permissions of."

Nonsense. sshd doesn't change or "screw up" any permissions. I've been 
running sshd as user or sshd via xinetd run as user for the last seven 
years on my workstation and never had no problem. Of course I can only 
login as myself but that's expected.

Thorsten


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: sshd not doing key based authentication

[Larry Hall (Cygwin)]

On 4/10/2012 10:02 AM, Thorsten Kampe wrote:
> * Rurik Christiansen (Tue, 10 Apr 2012 11:23:04 +1000)
>> On 6/04/2012 08:44, Andrey Repin wrote:
>>> Greetings, Rurik Christiansen!
>>
>> [...]
>>
>>>> and my understanding is that I can't run the sshd frontend without
>>>> screwing the permissions.
>>> I don't understand what you mean by this.
>>
>>  From an earlier mail on this list:
>>
>> http://cygwin.com/ml/cygwin/2008-11/msg00212.html
>>
>> I cite:
>>
>> "Ugh!  This suggests that you have not read OpenSSH readme in
>> /usr/share/doc/Cygwin.  You can't do this without screwing up all
>> the permissions on various directories and files that SSH checks
>> the permissions of."
>
> Nonsense. sshd doesn't change or "screw up" any permissions. I've been
> running sshd as user or sshd via xinetd run as user for the last seven
> years on my workstation and never had no problem. Of course I can only
> login as myself but that's expected.

And that's exactly the point of the referenced thread.  If you know how
to do what you've done and what the limitations are, then you can make
things work within these limitations.  For those that don't know all these
little details and limitations and just want to get sshd running in a
general, non-restrictive way, using the provided configure scripts is the
way to go and the Cygwin readme for OpenSSH is the right place to look for
details about these scripts and how to run them.  And more importantly,
unless you use these resources, it's assumed you know what you're doing
and that you don't need this list's help if you run into problems.  Just
to button up this thread for whoever may be reading it in the future,
if the previous statement doesn't describe you, don't try to initially
hand configure your OpenSSH installation and don't run sshd from the
command line unless you know what you are doing.

-- 
Larry

_____________________________________________________________________

A: Yes.
 > Q: Are you sure?
 >> A: Because it reverses the logical flow of conversation.
 >>> Q: Why is top posting annoying in email?

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple