Cygwin 2.763 32bit SSHD public key auth. failure on Windows Server 2016 R2 64bit

Cygwin 2.763 32bit SSHD public key auth. failure on Windows Server 2016 R2 64bit

[Aliaksei Hladkikh]

[-- Attachment #1: Type: text/plain, Size: 5441 bytes --]

Hello

Can't connect to Cygwin SSHD using public key set up, but same Cygwin configuration/OS/client
works with Cygwin 2.763 32bit on Windows Server 2008 R2 64bit.
See var/log/messages extracts.

Seems to be connected with SeTcbPrivilege problem because of 
"fatal: seteuid 1049698: Operation not permitted" log record, but ALL existing Local Policy privileges were granted
to dsm user under which Windows service runs or Administrators group where dsm is a member,
gpupdate executed and service restarted.

Going to try x64 Cygwin, but it's scary to change that Server 2016 R2.

Regards
------------------------------------------------------------
sshd_public_key_fail.log:

Feb  5 08:18:16 MPDiagnostics2 sshd: PID 6104: debug1: userauth-request for user dsm service ssh-connection method none [preauth]
Feb  5 08:18:16 MPDiagnostics2 sshd: PID 6104: debug1: attempt 0 failures 0 [preauth]
Feb  5 08:18:16 MPDiagnostics2 sshd: PID 6104: debug1: userauth-request for user dsm service ssh-connection method publickey [preauth]
Feb  5 08:18:16 MPDiagnostics2 sshd: PID 6104: debug1: attempt 1 failures 0 [preauth]
Feb  5 08:18:16 MPDiagnostics2 sshd: PID 6104: debug1: userauth_pubkey: test whether pkalg/pkblob are acceptable for RSA SHA256:WwiWbTcBCmRCXPeuoN9D792twtGPp0xK0GfUCgqUS1Q [preauth]
Feb  5 08:18:16 MPDiagnostics2 sshd: PID 6104: debug1: temporarily_use_uid: 1049698/1049089 (e=197609/197121)
Feb  5 08:18:16 MPDiagnostics2 sshd: PID 5684: debug1: rekey after 4294967296 blocks [preauth]
Feb  5 08:18:16 MPDiagnostics2 sshd: PID 5684: debug1: SSH2_MSG_NEWKEYS sent [preauth]
Feb  5 08:18:16 MPDiagnostics2 sshd: PID 5684: debug1: expecting SSH2_MSG_NEWKEYS [preauth]
Feb  5 08:18:16 MPDiagnostics2 sshd: PID 6104: fatal: seteuid 1049698: Operation not permitted
Feb  5 08:18:16 MPDiagnostics2 sshd: PID 6104: debug1: do_cleanup
Feb  5 08:18:16 MPDiagnostics2 sshd: PID 6104: debug1: Killing privsep child 5592
Feb  5 08:18:18 MPDiagnostics2 sshd: PID 5684: debug1: SSH2_MSG_NEWKEYS received [preauth]
Feb  5 08:18:18 MPDiagnostics2 sshd: PID 5684: debug1: rekey after 4294967296 blocks [preauth]
Feb  5 08:18:18 MPDiagnostics2 sshd: PID 5684: debug1: KEX done [preauth]

sshd_password_ok.log:

Feb  5 08:19:33 MPDiagnostics2 sshd: PID 5684: debug1: userauth-request for user dsm service ssh-connection method password [preauth]
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 5684: debug1: attempt 3 failures 2 [preauth]
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 5684: Accepted password for dsm from 37.17.38.141 port 10330 ssh2
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 5684: debug1: monitor_child_preauth: dsm has been authenticated by privileged process
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 5684: debug1: monitor_read_log: child log fd closed
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 5684: debug1: rekey after 4294967296 blocks
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 5684: debug1: rekey after 4294967296 blocks
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 5684: debug1: ssh_packet_set_postauth: called
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 5684: debug1: Entering interactive session for SSH2.
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 5684: debug1: server_init_dispatch
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 5684: debug1: server_input_channel_open: ctype session rchan 256 win 16384 max 16384
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 5684: debug1: input_session_request
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 5684: debug1: channel 0: new [server-session]
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 5684: debug1: session_new: session 0
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 5684: debug1: session_open: channel 0
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 5684: debug1: session_open: session 0: link with channel 0
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 5684: debug1: server_input_channel_open: confirm session
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 5684: debug1: server_input_channel_req: channel 0 request pty-req reply 1
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 5684: debug1: session_by_channel: session 0 channel 0
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 5684: debug1: session_input_channel_req: session 0 req pty-req
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 5684: debug1: Allocating pty.
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 5684: debug1: session_pty_req: session 0 alloc /dev/pty1
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 5684: debug1: server_input_channel_req: channel 0 request shell reply 1
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 5684: debug1: session_by_channel: session 0 channel 0
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 5684: debug1: session_input_channel_req: session 0 req shell
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 5684: Starting session: shell on pty1 for dsm from 37.17.38.141 port 10330 id 0
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 980: debug1: Setting controlling tty using TIOCSCTTY.
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 980: debug1: permanently_set_uid: 1049698/1049089
Feb  5 08:19:34 MPDiagnostics2 sshd: PID 3692: debug1: fd 5 clearing O_NONBLOCK
Feb  5 08:19:34 MPDiagnostics2 sshd: PID 3692: debug1: Forked child 4728.
Feb  5 08:19:34 MPDiagnostics2 sshd: PID 4728: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8
Feb  5 08:19:34 MPDiagnostics2 sshd: PID 4728: rexec line 96: Deprecated option UsePrivilegeSeparation
Feb  5 08:19:34 MPDiagnostics2 sshd: PID 4728: debug1: inetd sockets after dupping: 3, 3

[-- Attachment #2: cygcheck.out --]
[-- Type: application/octet-stream, Size: 18568 bytes --]

[-- Attachment #3: sshd_password_ok.log --]
[-- Type: application/octet-stream, Size: 3198 bytes --]

Feb  5 08:19:33 MPDiagnostics2 sshd: PID 5684: debug1: userauth-request for user dsm service ssh-connection method password [preauth]
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 5684: debug1: attempt 3 failures 2 [preauth]
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 5684: Accepted password for dsm from 37.17.38.141 port 10330 ssh2
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 5684: debug1: monitor_child_preauth: dsm has been authenticated by privileged process
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 5684: debug1: monitor_read_log: child log fd closed
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 5684: debug1: rekey after 4294967296 blocks
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 5684: debug1: rekey after 4294967296 blocks
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 5684: debug1: ssh_packet_set_postauth: called
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 5684: debug1: Entering interactive session for SSH2.
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 5684: debug1: server_init_dispatch
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 5684: debug1: server_input_channel_open: ctype session rchan 256 win 16384 max 16384
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 5684: debug1: input_session_request
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 5684: debug1: channel 0: new [server-session]
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 5684: debug1: session_new: session 0
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 5684: debug1: session_open: channel 0
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 5684: debug1: session_open: session 0: link with channel 0
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 5684: debug1: server_input_channel_open: confirm session
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 5684: debug1: server_input_channel_req: channel 0 request pty-req reply 1
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 5684: debug1: session_by_channel: session 0 channel 0
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 5684: debug1: session_input_channel_req: session 0 req pty-req
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 5684: debug1: Allocating pty.
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 5684: debug1: session_pty_req: session 0 alloc /dev/pty1
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 5684: debug1: server_input_channel_req: channel 0 request shell reply 1
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 5684: debug1: session_by_channel: session 0 channel 0
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 5684: debug1: session_input_channel_req: session 0 req shell
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 5684: Starting session: shell on pty1 for dsm from 37.17.38.141 port 10330 id 0
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 980: debug1: Setting controlling tty using TIOCSCTTY.
Feb  5 08:19:33 MPDiagnostics2 sshd: PID 980: debug1: permanently_set_uid: 1049698/1049089
Feb  5 08:19:34 MPDiagnostics2 sshd: PID 3692: debug1: fd 5 clearing O_NONBLOCK
Feb  5 08:19:34 MPDiagnostics2 sshd: PID 3692: debug1: Forked child 4728.
Feb  5 08:19:34 MPDiagnostics2 sshd: PID 4728: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8
Feb  5 08:19:34 MPDiagnostics2 sshd: PID 4728: rexec line 96: Deprecated option UsePrivilegeSeparation
Feb  5 08:19:34 MPDiagnostics2 sshd: PID 4728: debug1: inetd sockets after dupping: 3, 3

[-- Attachment #4: sshd_public_key_fail.log --]
[-- Type: application/octet-stream, Size: 1519 bytes --]

Feb  5 08:18:16 MPDiagnostics2 sshd: PID 6104: debug1: userauth-request for user dsm service ssh-connection method none [preauth]
Feb  5 08:18:16 MPDiagnostics2 sshd: PID 6104: debug1: attempt 0 failures 0 [preauth]
Feb  5 08:18:16 MPDiagnostics2 sshd: PID 6104: debug1: userauth-request for user dsm service ssh-connection method publickey [preauth]
Feb  5 08:18:16 MPDiagnostics2 sshd: PID 6104: debug1: attempt 1 failures 0 [preauth]
Feb  5 08:18:16 MPDiagnostics2 sshd: PID 6104: debug1: userauth_pubkey: test whether pkalg/pkblob are acceptable for RSA SHA256:WwiWbTcBCmRCXPeuoN9D792twtGPp0xK0GfUCgqUS1Q [preauth]
Feb  5 08:18:16 MPDiagnostics2 sshd: PID 6104: debug1: temporarily_use_uid: 1049698/1049089 (e=197609/197121)
Feb  5 08:18:16 MPDiagnostics2 sshd: PID 5684: debug1: rekey after 4294967296 blocks [preauth]
Feb  5 08:18:16 MPDiagnostics2 sshd: PID 5684: debug1: SSH2_MSG_NEWKEYS sent [preauth]
Feb  5 08:18:16 MPDiagnostics2 sshd: PID 5684: debug1: expecting SSH2_MSG_NEWKEYS [preauth]
Feb  5 08:18:16 MPDiagnostics2 sshd: PID 6104: fatal: seteuid 1049698: Operation not permitted
Feb  5 08:18:16 MPDiagnostics2 sshd: PID 6104: debug1: do_cleanup
Feb  5 08:18:16 MPDiagnostics2 sshd: PID 6104: debug1: Killing privsep child 5592
Feb  5 08:18:18 MPDiagnostics2 sshd: PID 5684: debug1: SSH2_MSG_NEWKEYS received [preauth]
Feb  5 08:18:18 MPDiagnostics2 sshd: PID 5684: debug1: rekey after 4294967296 blocks [preauth]
Feb  5 08:18:18 MPDiagnostics2 sshd: PID 5684: debug1: KEX done [preauth]

[-- Attachment #5: Type: text/plain, Size: 219 bytes --]


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Cygwin 2.763 32bit SSHD public key auth. failure on Windows Server 2016 R2 64bit

[Achim Gratz]

Aliaksei Hladkikh writes:
> Can't connect to Cygwin SSHD using public key set up, but same Cygwin configuration/OS/client
> works with Cygwin 2.763 32bit on Windows Server 2008 R2 64bit.
> See var/log/messages extracts.
>
> Seems to be connected with SeTcbPrivilege problem because of 
> "fatal: seteuid 1049698: Operation not permitted" log record, but ALL existing Local Policy privileges were granted
> to dsm user under which Windows service runs or Administrators group where dsm is a member,
> gpupdate executed and service restarted.

FWIW, I think I am seeing the same problem on Windows Server 2012 R2
ever since that came out.  I think this is some security feature as the
same thing happily works on non-server Windows of all versions I have
access to, possibly controlled by a group policy, although I have not
found anyone who seems to know about it.  But it does work for other
people in other environments, so there must be some setting somewhere
that prevents it.

My current work-around is to run sshd as the user that logs in (in may
case it's always the same user) so it doesn't have to switch SID.

> Going to try x64 Cygwin, but it's scary to change that Server 2016 R2.

You can install both Cygwin versions in parallel, just don't re-create
the ssh user when setting up sshd.


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

Factory and User Sound Singles for Waldorf Blofeld:
http://Synth.Stromeko.net/Downloads.html#WaldorfSounds

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple