* Re: Sshd behaving strangely...
@ 2015-09-07 12:46 Zdzislaw Meglicki
0 siblings, 0 replies; 5+ messages in thread
From: Zdzislaw Meglicki @ 2015-09-07 12:46 UTC (permalink / raw)
To: cygwin
>> Please teach your mail agent to not break threading.
Sorry for this. Yes, this particular mailer is really bad,
I'll have to re-register with the Cygwin mail list from
a better one.
>> This is a different issue, judging from the error message.
>> [...]
>> A verbose log of the same connection from both server
>> and client may help.
I've attempted a connection from another account on the machine
from which I could not do so previously, with ssh -v and...
it worked! I made a successful connection. So, then I went
back to the account from which I could not connect, ran ssh -v
and I got the following:
[...]
debug1: Offering RSA public key: /home/[user_name]/.ssh/id_rsa
Connection closed by [ip_number]
Aha! So it's my old RSA key that's the culprit here. I removed
it and this time the connection worked just fine!
In summary, it appears that it all works as it ought to right
out of the box. I configured sshd on the target machine with
the "-y" option, which, I presume, builds a default server
configuration.
My only suggestion would be that, if the connection is refused
the reason for refusal should perhaps be printed back to the
user, even without the -v option.
Many thanks for your help.
Zdzislaw (Gustav) Meglicki
Indiana University
--
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Sshd behaving strangely...
2015-09-06 15:46 Zdzislaw Meglicki
@ 2015-09-06 21:50 ` Andrey Repin
0 siblings, 0 replies; 5+ messages in thread
From: Andrey Repin @ 2015-09-06 21:50 UTC (permalink / raw)
To: Zdzislaw Meglicki, cygwin
Greetings, Zdzislaw Meglicki!
Please teach your mail agent to not break threading. Thank you in advance.
>> OpenSSH 7.0 (and thus the current 7.1) deprecated a couple
>> of old and insecure ciphers. Probably that's the reason.
> Well, what I mean is that it is strange that sshd-7.1p1-1 accepts
> a connection from ssh-3.9p1, upon announcing that the "key type ssh-dss
> [is] not in PubkeyAcceptedKeyTypes," and lets the user in having accepted
> the password,
Likely explanation is that you've tried to connect using private DSA key,
which server rejected and subsequently asked for a password.
> yet rejects connection from ssh-6.8p1-1 not even allowing
> for the presentation of a password, and claims that "seteuid operation
> [is] not permitted."
This is a different issue, judging from the error message.
Without more data from both sides it is impossible to tell for certain, whats
going on.
A verbose log of the same connection from both server and client may help.
> Why was the operation permitted when the key was not in
> PubkeyAcceptedKeyTypes?
> This seems to me to be a security bug.
More like you are not telling us a whole story.
> And I still wonder how to configure sshd to allow normal connections
> with accepted key types, any documentation out there that would help?
Sorry, what? It do work like that out of the box.
--
With best regards,
Andrey Repin
Monday, September 7, 2015 00:33:31
Sorry for my terrible english...
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Sshd behaving strangely...
@ 2015-09-06 15:46 Zdzislaw Meglicki
2015-09-06 21:50 ` Andrey Repin
0 siblings, 1 reply; 5+ messages in thread
From: Zdzislaw Meglicki @ 2015-09-06 15:46 UTC (permalink / raw)
To: cygwin
> OpenSSH 7.0 (and thus the current 7.1) deprecated a couple
> of old and insecure ciphers. Probably that's the reason.
Well, what I mean is that it is strange that sshd-7.1p1-1 accepts
a connection from ssh-3.9p1, upon announcing that the "key type ssh-dss [is] not in PubkeyAcceptedKeyTypes," and lets the user in having accepted
the password, yet rejects connection from ssh-6.8p1-1 not even allowing
for the presentation of a password, and claims that "seteuid operation
[is] not permitted."
Why was the operation permitted when the key was not in
PubkeyAcceptedKeyTypes?
This seems to me to be a security bug.
And I still wonder how to configure sshd to allow normal connections
with accepted key types, any documentation out there that would help?
Zdzislaw (Gustav) Meglicki
Indiana University
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Sshd behaving strangely...
2015-09-05 21:03 Zdzislaw Meglicki
@ 2015-09-06 12:00 ` Corinna Vinschen
0 siblings, 0 replies; 5+ messages in thread
From: Corinna Vinschen @ 2015-09-06 12:00 UTC (permalink / raw)
To: cygwin
[-- Attachment #1: Type: text/plain, Size: 686 bytes --]
On Sep 5 21:03, Zdzislaw Meglicki wrote:
> Greetings,
>
> I have installed Cygwin on a Windows 8.1 Enterprise workstation.
> It is a most recent full download of the whole Cygwin suite (within
> a week or so). Here are the relevant numbers:
> Windows 8.1 Enterprise Ver 6.3 Build 9600
OpenSSH 7.0 (and thus the current 7.1) deprecated a couple of old and
insecure ciphers. Probably that's the reason. Have a look at the
release announcement:
https://cygwin.com/ml/cygwin-announce/2015-08/msg00021.html
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Maintainer cygwin AT cygwin DOT com
Red Hat
[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Sshd behaving strangely...
@ 2015-09-05 21:03 Zdzislaw Meglicki
2015-09-06 12:00 ` Corinna Vinschen
0 siblings, 1 reply; 5+ messages in thread
From: Zdzislaw Meglicki @ 2015-09-05 21:03 UTC (permalink / raw)
To: cygwin
Greetings,
I have installed Cygwin on a Windows 8.1 Enterprise workstation.
It is a most recent full download of the whole Cygwin suite (within
a week or so). Here are the relevant numbers:
Windows 8.1 Enterprise Ver 6.3 Build 9600
[...]
Cygwin DLL version info:
DLL version: 2.2.1
DLL epoch: 19
DLL old termios: 5
DLL malloc env: 28
Cygwin conv: 181
API major: 0
API minor: 289
Shared data: 5
DLL identifier: cygwin1
Mount registry: 3
Cygwin registry name: Cygwin
Installations name: Installations
Cygdrive default prefix:
Build date:
Shared id: cygwin1S5
I don't provide a full dump at this stage, but I will if
the discussion veers this way. The sshd package is:
openssh 7.1p1-1 OK
openssh-debuginfo 7.1p1-1 OK
The workstation is slaved, security wise, to the enterprise
Active Directory, but it has local accounts that are not,
I run sshd and exim using cygrunsrv on it thusly:
Service : exim
Description : Mail Transfer Agent
Current State : Running
Controls Accepted : Stop
Command : /usr/bin/exim -bdf -q15m
Service : sshd
Display name : CYGWIN sshd
Current State : Running
Controls Accepted : Stop
Command : /usr/sbin/sshd -D -e
Now about the weirdness... I can connect to this system from
another machine that is on the same subnet, on the same desk
actually, that runs a very old version of Linux and a very old
version of ssh (version 3.9p1). The sshd daemon on the Windows
machine does not let me make a connection using a passphrase,
but I can make a connection using a password of the Windows
user and this works just fine. The message that is printed on
sshd.log when this happens looks as follows:
userauth_pubkey: key type ssh-dss not in PubkeyAcceptedKeyTypes [preauth]
Accepted password for root from [IP number here] port 36014 ssh2
However, when I try to make a connection from another machine that
runs Cygwin version 1.7.35 ssh version 6.8p1-1 the connection is rejected
and the following message is printed in sshd.log:
seteuid 1214318: Operation not permitted
Now, I've checked the mailing list and I see that problems with sshd
configuration are not uncommon. This particular problem with "Operation
not permitted" was solved by David Koppenhofer by
"asking the network admin to give 'Create a token object' to
the service account."
So, this problem appears to be a feature, perhaps, rather than a bug.
But if this is so, then isn't the acceptance of the password and
successful login into the account from the ancient version of ssh
on the ancient Linux machine a... security bug?
General question: how to configure sshd on Windows 8.1 Enterprise slaved
to an Active Directory? Is there a document on-line somewhere that
outlines the steps? Also, are any ports other than 22 involved on the
sshd server machine?
Zdzislaw (Gustav) Meglicki
Indiana University
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2015-09-07 12:46 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-09-07 12:46 Sshd behaving strangely Zdzislaw Meglicki
-- strict thread matches above, loose matches on Subject: below --
2015-09-06 15:46 Zdzislaw Meglicki
2015-09-06 21:50 ` Andrey Repin
2015-09-05 21:03 Zdzislaw Meglicki
2015-09-06 12:00 ` Corinna Vinschen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).