sshd and RSA Authentication

sshd and RSA Authentication

[Kim Lee]

Hi there,

if there is a step by step document specific to cygwin, sshd and
getting RSA authentication to work please point me to it..

Please read on anyway...

I'm having problems getting w2k server sshd to allow RSA login without
a password from another W2k Server box

Here are some detail:

I'm using latest (as of today) cygwin tools (ran the setup.exe and updated
from the internet)

/etc/passwd has...

Administrator::500:513:,S-1-5-21-3438086697-2421862272-1916658313-500:/home/Administrator:/bin/sh


This is the ssh client machine.


administrator@SHRIMP ~
$ ssh -v KRILL
SSH Version OpenSSH_2.3.0p1, protocol versions 1.5/2.0.
Compiled with SSL (0x0090581f).
debug: Seeding random number generator
debug: ssh_connect: getuid 500 geteuid 500 anon 0
debug: Connecting to KRILL [172.16.0.202] port 22.
debug: Seeding random number generator
debug: Allocated local port 946.
debug: Connection established.
debug: Remote protocol version 1.5, remote software version 1.2.26
debug: no match: 1.2.26
debug: Local version string SSH-1.5-OpenSSH_2.3.0p1
debug: Waiting for server public key.
debug: Received server public key (768 bits) and host key (1024 bits).
debug: Host 'krill' is known and matches the RSA host key.
debug: Seeding random number generator
debug: Encryption type: 3des
debug: Sent encrypted session key.
debug: Installing crc compensation attack detector.
debug: Received encrypted confirmation.
debug: Trying RSA authentication with key 'administrator@SHRIMP'
debug: Server refused our key.
debug: Doing password authentication.
administrator@krill's password:  <had to type password in>
debug: Requesting pty.
debug: Requesting shell.
debug: Entering interactive session.
Environment:
  HOME=/home/Administrator
  USER=administrator
  LOGNAME=administrator
  SHELL=/bin/sh
  SSH_CLIENT=172.16.0.201 946 22
  SSH_TTY=/dev/tty0
  TERM=cygwin

\[\033]0;\w\007
\033[32m\]\u@\h \[\033[33m\w\033[0m\]
$ exit
Connection to KRILL closed.
debug: Transferred: stdin 0, stdout 247, stderr 29 bytes in 5.8 seconds
debug: Bytes per second: stdin 0.0, stdout 42.8, stderr 5.0
debug: Exit status 1




Here's the server end.



administrator@KRILL ~
$ sshd -d
debug: sshd version 1.2.26 [i586-pc-cygwin32]
debug: Initializing random number generator; seed file ssh_random_seed
log: Server listening on port 22.
log: Generating 768 bit RSA key.
Generating p:  ..++ (distance 72)
Generating q:  ...................++ (distance 288)
Computing the keys...
Testing the keys...
Key generation complete.
log: RSA key generation complete.
debug: Server will not fork when running in debugging mode.
error: setsockopt IPTOS_LOWDELAY: Invalid argument
log: Connection from 172.16.0.201 port 946
debug: Client protocol version 1.5; client software version
OpenSSH_2.3.0p1
debug: Sent 768 bit public key and 1024 bit host key.
debug: Encryption type: 3des
debug: Received session key; encryption turned on.
debug: Installing crc compensation attack detector.
debug: Attempting authentication for administrator.
debug: RSA authentication for administrator failed.
log: Password authentication for administrator accepted.
debug: Allocating pty.
error: setsockopt IPTOS_LOWDELAY: Invalid argument
debug: Forking shell.
debug: Entering interactive session.
debug: Received SIGCHLD.
debug: End of interactive session; stdin 5, stdout (read 242, sent 242),
stderr
0 bytes.
debug: pty_cleanup_proc called
debug: Command exited with status 1.
debug: Received exit confirmation.
log: Closing connection to 172.16.0.201

what is IPTOS_LOWDELAY, there is a rather long pause (10 seconds +) after
the "connection is established" before the password prompt pops up.

Note: the cygwin ssh client to a unix box with RSA authentication (no
password)
works fine and there is no delay.

Another interesting thing is ssh client to a Windows 2000 Professional
(NOT
server) sshd doesn't have this delay but RSA authentication still doesn't
work.

What am I doing wrong? Any ideas or pointers? Thanks :)
-- 
Cheers
----------------------------------------------------------------------
Kim Lee                         Senior Engineer - Bulletproof Networks
ph: +61 (0) 416 212 025                 http://www.bulletproof.net.au/
                   "When failure is not an option"

--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple

RE: sshd and RSA Authentication

[Kevin Wright]

Kim,

I have you looked in /usr/doc? Here's a list of files there:

bzip2-1.0.1.README      jbigkit-1.2.README      ncurses-5.2.README
vim-5.7.README
crypt.README            jpeg-6b.README          openssh-2.3.0p1.README
wget-1.6.README
cvs-1.11.0.README       libpng-1.0.9.README     perl-5.6.1.README
xpm-4.0.0.README
gdbm-1.8.0.README       login.README            readline-4.1.README
zip-2.3.README
gettext-0.10.35.README  mt.README               tiff-3.5.5.README
zlib-1.1.3.README
inetutils-1.3.2.README  ncftp-3.0.2.README      unzip-5.41.README

check out the files for login, inetutils, openssh to begin with. And if you
still have a problem. Search the mailing list:

http://cygwin.com/ml/cygwin/

--Kevin

> -----Original Message-----
> From: cygwin-owner@sources.redhat.com
> [ mailto:cygwin-owner@sources.redhat.com]On Behalf Of Kim Lee
> Sent: Sunday, February 18, 2001 6:25 PM
> To: cygwin@cygwin.com
> Subject: sshd and RSA Authentication
>
>
> Hi there,
>
> if there is a step by step document specific to cygwin, sshd and
> getting RSA authentication to work please point me to it..
>
> Please read on anyway...
>
> I'm having problems getting w2k server sshd to allow RSA login without
> a password from another W2k Server box
>
> Here are some detail:
>
> I'm using latest (as of today) cygwin tools (ran the setup.exe and updated
> from the internet)
>
> /etc/passwd has...
>
> Administrator::500:513:,S-1-5-21-3438086697-2421862272-1916658313-
> 500:/home/Administrator:/bin/sh
>
>
> This is the ssh client machine.
>
>
> administrator@SHRIMP ~
> $ ssh -v KRILL
> SSH Version OpenSSH_2.3.0p1, protocol versions 1.5/2.0.
> Compiled with SSL (0x0090581f).
> debug: Seeding random number generator
> debug: ssh_connect: getuid 500 geteuid 500 anon 0
> debug: Connecting to KRILL [172.16.0.202] port 22.
> debug: Seeding random number generator
> debug: Allocated local port 946.
> debug: Connection established.
> debug: Remote protocol version 1.5, remote software version 1.2.26
> debug: no match: 1.2.26
> debug: Local version string SSH-1.5-OpenSSH_2.3.0p1
> debug: Waiting for server public key.
> debug: Received server public key (768 bits) and host key (1024 bits).
> debug: Host 'krill' is known and matches the RSA host key.
> debug: Seeding random number generator
> debug: Encryption type: 3des
> debug: Sent encrypted session key.
> debug: Installing crc compensation attack detector.
> debug: Received encrypted confirmation.
> debug: Trying RSA authentication with key 'administrator@SHRIMP'
> debug: Server refused our key.
> debug: Doing password authentication.
> administrator@krill's password:  <had to type password in>
> debug: Requesting pty.
> debug: Requesting shell.
> debug: Entering interactive session.
> Environment:
>   HOME=/home/Administrator
>   USER=administrator
>   LOGNAME=administrator
>   SHELL=/bin/sh
>   SSH_CLIENT=172.16.0.201 946 22
>   SSH_TTY=/dev/tty0
>   TERM=cygwin
>
> \[\033]0;\w\007
> \033[32m\]\u@\h \[\033[33m\w\033[0m\]
> $ exit
> Connection to KRILL closed.
> debug: Transferred: stdin 0, stdout 247, stderr 29 bytes in 5.8 seconds
> debug: Bytes per second: stdin 0.0, stdout 42.8, stderr 5.0
> debug: Exit status 1
>
>
>
>
> Here's the server end.
>
>
>
> administrator@KRILL ~
> $ sshd -d
> debug: sshd version 1.2.26 [i586-pc-cygwin32]
> debug: Initializing random number generator; seed file ssh_random_seed
> log: Server listening on port 22.
> log: Generating 768 bit RSA key.
> Generating p:  ..++ (distance 72)
> Generating q:  ...................++ (distance 288)
> Computing the keys...
> Testing the keys...
> Key generation complete.
> log: RSA key generation complete.
> debug: Server will not fork when running in debugging mode.
> error: setsockopt IPTOS_LOWDELAY: Invalid argument
> log: Connection from 172.16.0.201 port 946
> debug: Client protocol version 1.5; client software version
> OpenSSH_2.3.0p1
> debug: Sent 768 bit public key and 1024 bit host key.
> debug: Encryption type: 3des
> debug: Received session key; encryption turned on.
> debug: Installing crc compensation attack detector.
> debug: Attempting authentication for administrator.
> debug: RSA authentication for administrator failed.
> log: Password authentication for administrator accepted.
> debug: Allocating pty.
> error: setsockopt IPTOS_LOWDELAY: Invalid argument
> debug: Forking shell.
> debug: Entering interactive session.
> debug: Received SIGCHLD.
> debug: End of interactive session; stdin 5, stdout (read 242, sent 242),
> stderr
> 0 bytes.
> debug: pty_cleanup_proc called
> debug: Command exited with status 1.
> debug: Received exit confirmation.
> log: Closing connection to 172.16.0.201
>
> what is IPTOS_LOWDELAY, there is a rather long pause (10 seconds +) after
> the "connection is established" before the password prompt pops up.
>
> Note: the cygwin ssh client to a unix box with RSA authentication (no
> password)
> works fine and there is no delay.
>
> Another interesting thing is ssh client to a Windows 2000 Professional
> (NOT
> server) sshd doesn't have this delay but RSA authentication still doesn't
> work.
>
> What am I doing wrong? Any ideas or pointers? Thanks :)
> --
> Cheers
> ----------------------------------------------------------------------
> Kim Lee                         Senior Engineer - Bulletproof Networks
> ph: +61 (0) 416 212 025                 http://www.bulletproof.net.au/
>                    "When failure is not an option"
>
> --
> Want to unsubscribe from this list?
> Check out: http://cygwin.com/ml/#unsubscribe-simple
>
>


--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple

Re: sshd and RSA Authentication

[Kim Lee]

Kevin Wright wrote:
> 
> Kim,
> 
> I have you looked in /usr/doc? Here's a list of files there:
> 
> bzip2-1.0.1.README      jbigkit-1.2.README      ncurses-5.2.README
> vim-5.7.README
> crypt.README            jpeg-6b.README          openssh-2.3.0p1.README
> wget-1.6.README
> cvs-1.11.0.README       libpng-1.0.9.README     perl-5.6.1.README
> xpm-4.0.0.README
> gdbm-1.8.0.README       login.README            readline-4.1.README
> zip-2.3.README
> gettext-0.10.35.README  mt.README               tiff-3.5.5.README
> zlib-1.1.3.README
> inetutils-1.3.2.README  ncftp-3.0.2.README      unzip-5.41.README
> 
> check out the files for login, inetutils, openssh to begin with. And if you
> still have a problem. Search the mailing list:
> 
> http://cygwin.com/ml/cygwin/

Hi Kevin,

Actually I did... 

BUT

<red faced>
I was running an old version of sshd.exe in \winnt but I can't explain
why on earth typing in sshd -d called the old version when it was in
\d\winnt ie not in the path

This will teach me to use full paths where possible when testing!
</red faced>

Thanks! :)

> --Kevin
> 
> > -----Original Message-----
> > From: cygwin-owner@sources.redhat.com
> > [ mailto:cygwin-owner@sources.redhat.com]On Behalf Of Kim Lee
> > Sent: Sunday, February 18, 2001 6:25 PM
> > To: cygwin@cygwin.com
> > Subject: sshd and RSA Authentication
> >
> >
> > Hi there,
> >
> > if there is a step by step document specific to cygwin, sshd and
> > getting RSA authentication to work please point me to it..
> >
> > Please read on anyway...
> >
> > I'm having problems getting w2k server sshd to allow RSA login without
> > a password from another W2k Server box
> >
> > Here are some detail:
> >
> > I'm using latest (as of today) cygwin tools (ran the setup.exe and updated
> > from the internet)
> >
> > /etc/passwd has...
> >
> > Administrator::500:513:,S-1-5-21-3438086697-2421862272-1916658313-
> > 500:/home/Administrator:/bin/sh
> >
> >
> > This is the ssh client machine.
> >
> >
> > administrator@SHRIMP ~
> > $ ssh -v KRILL
> > SSH Version OpenSSH_2.3.0p1, protocol versions 1.5/2.0.
> > Compiled with SSL (0x0090581f).
> > debug: Seeding random number generator
> > debug: ssh_connect: getuid 500 geteuid 500 anon 0
> > debug: Connecting to KRILL [172.16.0.202] port 22.
> > debug: Seeding random number generator
> > debug: Allocated local port 946.
> > debug: Connection established.
> > debug: Remote protocol version 1.5, remote software version 1.2.26
> > debug: no match: 1.2.26
> > debug: Local version string SSH-1.5-OpenSSH_2.3.0p1
> > debug: Waiting for server public key.
> > debug: Received server public key (768 bits) and host key (1024 bits).
> > debug: Host 'krill' is known and matches the RSA host key.
> > debug: Seeding random number generator
> > debug: Encryption type: 3des
> > debug: Sent encrypted session key.
> > debug: Installing crc compensation attack detector.
> > debug: Received encrypted confirmation.
> > debug: Trying RSA authentication with key 'administrator@SHRIMP'
> > debug: Server refused our key.
> > debug: Doing password authentication.
> > administrator@krill's password:  <had to type password in>
> > debug: Requesting pty.
> > debug: Requesting shell.
> > debug: Entering interactive session.
> > Environment:
> >   HOME=/home/Administrator
> >   USER=administrator
> >   LOGNAME=administrator
> >   SHELL=/bin/sh
> >   SSH_CLIENT=172.16.0.201 946 22
> >   SSH_TTY=/dev/tty0
> >   TERM=cygwin
> >
> > \[\033]0;\w\007
> > \033[32m\]\u@\h \[\033[33m\w\033[0m\]
> > $ exit
> > Connection to KRILL closed.
> > debug: Transferred: stdin 0, stdout 247, stderr 29 bytes in 5.8 seconds
> > debug: Bytes per second: stdin 0.0, stdout 42.8, stderr 5.0
> > debug: Exit status 1
> >
> >
> >
> >
> > Here's the server end.
> >
> >
> >
> > administrator@KRILL ~
> > $ sshd -d
> > debug: sshd version 1.2.26 [i586-pc-cygwin32]
> > debug: Initializing random number generator; seed file ssh_random_seed
> > log: Server listening on port 22.
> > log: Generating 768 bit RSA key.
> > Generating p:  ..++ (distance 72)
> > Generating q:  ...................++ (distance 288)
> > Computing the keys...
> > Testing the keys...
> > Key generation complete.
> > log: RSA key generation complete.
> > debug: Server will not fork when running in debugging mode.
> > error: setsockopt IPTOS_LOWDELAY: Invalid argument
> > log: Connection from 172.16.0.201 port 946
> > debug: Client protocol version 1.5; client software version
> > OpenSSH_2.3.0p1
> > debug: Sent 768 bit public key and 1024 bit host key.
> > debug: Encryption type: 3des
> > debug: Received session key; encryption turned on.
> > debug: Installing crc compensation attack detector.
> > debug: Attempting authentication for administrator.
> > debug: RSA authentication for administrator failed.
> > log: Password authentication for administrator accepted.
> > debug: Allocating pty.
> > error: setsockopt IPTOS_LOWDELAY: Invalid argument
> > debug: Forking shell.
> > debug: Entering interactive session.
> > debug: Received SIGCHLD.
> > debug: End of interactive session; stdin 5, stdout (read 242, sent 242),
> > stderr
> > 0 bytes.
> > debug: pty_cleanup_proc called
> > debug: Command exited with status 1.
> > debug: Received exit confirmation.
> > log: Closing connection to 172.16.0.201
> >
> > what is IPTOS_LOWDELAY, there is a rather long pause (10 seconds +) after
> > the "connection is established" before the password prompt pops up.
> >
> > Note: the cygwin ssh client to a unix box with RSA authentication (no
> > password)
> > works fine and there is no delay.
> >
> > Another interesting thing is ssh client to a Windows 2000 Professional
> > (NOT
> > server) sshd doesn't have this delay but RSA authentication still doesn't
> > work.
> >
> > What am I doing wrong? Any ideas or pointers? Thanks :)
> > --
> > Cheers
> > ----------------------------------------------------------------------
> > Kim Lee                         Senior Engineer - Bulletproof Networks
> > ph: +61 (0) 416 212 025                 http://www.bulletproof.net.au/
> >                    "When failure is not an option"
> >
> > --
> > Want to unsubscribe from this list?
> > Check out: http://cygwin.com/ml/#unsubscribe-simple
> >
> >

-- 
Cheers
----------------------------------------------------------------------
Kim Lee                         Senior Engineer - Bulletproof Networks
ph: +61 (0) 416 212 025                 http://www.bulletproof.net.au/
                   "When failure is not an option"

--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple

RE: sshd and RSA Authentication - General Troubleshooting

[Kevin Wright]

Dear Kim,

Another thing you can try is to run cygcheck. For example:

kwright@HOLSTEIN-MOBILE /usr/sbin
$ cygcheck sshd.exe
Found: .\sshd.exe
.\sshd.exe
  C:\WINNT\System32\cygwin1.dll
    C:\WINNT\System32\KERNEL32.dll
      C:\WINNT\System32\ntdll.dll

Running strace also can show what a program is doing. If you
know about these things already, please ignore this advise. 

Perhaps I should contribute an FAQ entry on general 
troubleshooting. A quick search through the FAQ didn't turn up a:
What to do when things don't work. or Troubleshooting tips. hmmm...

--Kevin

> -----Original Message-----
> From: Kim Lee [ mailto:kim@bulletproof.net.au ]
> Sent: Sunday, February 18, 2001 11:03 PM
> To: Kevin Wright
> Cc: cygwin@cygwin.com
> Subject: Re: sshd and RSA Authentication
> 
> 
> Kevin Wright wrote:
> > 
> > Kim,
> > 
> > I have you looked in /usr/doc? Here's a list of files there:
> > 
> > bzip2-1.0.1.README      jbigkit-1.2.README      ncurses-5.2.README
> > vim-5.7.README
> > crypt.README            jpeg-6b.README          openssh-2.3.0p1.README
> > wget-1.6.README
> > cvs-1.11.0.README       libpng-1.0.9.README     perl-5.6.1.README
> > xpm-4.0.0.README
> > gdbm-1.8.0.README       login.README            readline-4.1.README
> > zip-2.3.README
> > gettext-0.10.35.README  mt.README               tiff-3.5.5.README
> > zlib-1.1.3.README
> > inetutils-1.3.2.README  ncftp-3.0.2.README      unzip-5.41.README
> > 
> > check out the files for login, inetutils, openssh to begin 
> with. And if you
> > still have a problem. Search the mailing list:
> > 
> > http://cygwin.com/ml/cygwin/
> 
> Hi Kevin,
> 
> Actually I did... 
> 
> BUT
> 
> <red faced>
> I was running an old version of sshd.exe in \winnt but I can't explain
> why on earth typing in sshd -d called the old version when it was in
> \d\winnt ie not in the path
> 
> This will teach me to use full paths where possible when testing!
> </red faced>
> 
> Thanks! :)
> Cheers
> ----------------------------------------------------------------------
> Kim Lee                         Senior Engineer - Bulletproof Networks
> ph: +61 (0) 416 212 025                 http://www.bulletproof.net.au/
>                    "When failure is not an option"
> 

--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple

Re: sshd and RSA Authentication - General Troubleshooting

[Kim Lee]

Kevin Wright wrote:
> 
> Dear Kim,
> 
> Another thing you can try is to run cygcheck. For example:
> 
> kwright@HOLSTEIN-MOBILE /usr/sbin
> $ cygcheck sshd.exe
> Found: .\sshd.exe
> .\sshd.exe
>   C:\WINNT\System32\cygwin1.dll
>     C:\WINNT\System32\KERNEL32.dll
>       C:\WINNT\System32\ntdll.dll
> 
> Running strace also can show what a program is doing. If you
> know about these things already, please ignore this advise.

I haven't used cygwin for long enough. I "assumed" that strace
didn't exist under cygwin. Stoopid me! 
 
> Perhaps I should contribute an FAQ entry on general
> troubleshooting. A quick search through the FAQ didn't turn up a:
> What to do when things don't work. or Troubleshooting tips. hmmm...

That would be a great idea. I think that might help with the support
load :) And silly questions like mine! Heh

ps: Running the latest version of sshd removed that weird delay too! Yay!

KL

> --Kevin
> 
> > -----Original Message-----
> > From: Kim Lee [ mailto:kim@bulletproof.net.au ]
> > Sent: Sunday, February 18, 2001 11:03 PM
> > To: Kevin Wright
> > Cc: cygwin@cygwin.com
> > Subject: Re: sshd and RSA Authentication
> >
> >
> > Kevin Wright wrote:
> > >
> > > Kim,
> > >
> > > I have you looked in /usr/doc? Here's a list of files there:
> > >
> > > bzip2-1.0.1.README      jbigkit-1.2.README      ncurses-5.2.README
> > > vim-5.7.README
> > > crypt.README            jpeg-6b.README          openssh-2.3.0p1.README
> > > wget-1.6.README
> > > cvs-1.11.0.README       libpng-1.0.9.README     perl-5.6.1.README
> > > xpm-4.0.0.README
> > > gdbm-1.8.0.README       login.README            readline-4.1.README
> > > zip-2.3.README
> > > gettext-0.10.35.README  mt.README               tiff-3.5.5.README
> > > zlib-1.1.3.README
> > > inetutils-1.3.2.README  ncftp-3.0.2.README      unzip-5.41.README
> > >
> > > check out the files for login, inetutils, openssh to begin
> > with. And if you
> > > still have a problem. Search the mailing list:
> > >
> > > http://cygwin.com/ml/cygwin/
> >
> > Hi Kevin,
> >
> > Actually I did...
> >
> > BUT
> >
> > <red faced>
> > I was running an old version of sshd.exe in \winnt but I can't explain
> > why on earth typing in sshd -d called the old version when it was in
> > \d\winnt ie not in the path
> >
> > This will teach me to use full paths where possible when testing!
> > </red faced>
> >
> > Thanks! :)
> > Cheers
> > ----------------------------------------------------------------------
> > Kim Lee                         Senior Engineer - Bulletproof Networks
> > ph: +61 (0) 416 212 025                 http://www.bulletproof.net.au/
> >                    "When failure is not an option"
> >

-- 
Cheers
----------------------------------------------------------------------
Kim Lee                         Senior Engineer - Bulletproof Networks
ph: +61 (0) 416 212 025                 http://www.bulletproof.net.au/
                   "When failure is not an option"

--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple