Passwordless sftp with ssh 5.9 still asks for password

Passwordless sftp with ssh 5.9 still asks for password

[Andrew Erskine]

Im trying to configure sftp for a enterprise tool I use and the instructions (which I think are out dated as they don’t mention 2008) are as follows which I have followed to the letter – prob is im still asked for a password at the end .. (verbose output at the bottom)
 
To generate authentication keys
1.  Configure the key authentication by entering the following:
ssh-keygen -t dsa
Note: Accept the default key location, C:\Documents and
Settings\nhuser\.ssh\id_dsa, and do not provide a passphrase.
The id_dsa and id_dsa.pub keys appear at the default key locations.
 
2.  Copy the public key, id_dsa.pub, to all remote poller systems in this collection set.
Place the key in the directory, C:\Documents and Settings\nhuser\.ssh.
sftp NH_USER@REMOTE_SITE
sftp>cd .ssh
sftp>put id_dsa.pub
sftp>exit
 
Update Authentication File on a Windows Remote Site
After you copy the public keys to the .ssh subdirectory on each remote site in the
collection set, you must update the authentication file on each remote site.
To update authentication file on each remote site
1.  Log into the remote site as $NH_USER and navigate to the .ssh subdirectory on the
remote site.
2.  List the files in the .ssh subdirectory by entering the command, dir. 
The system displays a file with a .pub extension. This is your public key.
 
3.  Create an authorization file (with no extension) in the .ssh subdirectory on the
remote site.
Name the authorization file authorized_keys2.
4.  Copy the public key into the authorized_keys2 file, using the following command:
copy /b id_dsa.pub authorized_keys2
 
5.  Save the authorization file.
6.  Restart the cygwin Windows service.
7.  Repeat this procedure for each Windows remote system.
 
Test the Secure FTP Connection
Test the secure FTP connection between the central site and the remote polling sites to
verify that the sites do not prompt for a user name or password.
To test the secure FTP connection for SunSSH or OpenSSH
1.  Access a command prompt on the central site.
2.  Enter the following command:
sftp NH_USER@hostname
NH_USER 
Specifies your FTP user name.
hostname 
Specifies the name of the remote polling site system.
The central site should connect to the remote polling site without requiring you to
enter a user name or password. If you are prompted for a user name or password,
the encryption authentication is not set up correctly.
 
My config …
 
D:\cygwin\bin>mkpasswd -d -u ehealth >> ..\etc\passwd
 
D:\cygwin\bin>ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/cygdrive/c/users/ehealth/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /cygdrive/c/users/ehealth/.ssh/id_dsa.
Your public key has been saved in /cygdrive/c/users/ehealth/.ssh/id_dsa.pub.
The key fingerprint is:
11:f2:7d:97:d6:bb:d9:e8:84:b0:c3:86:14:c6:26:8a ehealth@PWEEHPR01
The key's randomart image is:
+--[ DSA 1024]----+
|      . .        |
|       + o     o |
|      . B . . + .|
|   . . + o . o  .|
|  E .   S .    . |
|       . o o . .+|
|        . = . oo.|
|         . . o   |
|              .  |
+-----------------+
 
D:\cygwin\bin>sftp ehealth@2e2ehpr01
The authenticity of host '2e2ehpr01 (2002:2b00:2f8::2b00:2f8)' can't be establis
hed.
ECDSA key fingerprint is 9b:9a:9a:19:38:d3:80:d2:b9:8c:c5:11:68:e7:0b:d4.
Are you sure you want to continue connecting (yes/no)? yes
 
D:\cygwin\bin>sftp ehealth@2e2ehpr01
The authenticity of host '2e2ehpr01 (2002:2b00:2f8::2b00:2f8)' can't be establis
hed.
ECDSA key fingerprint is 9b:9a:9a:19:38:d3:80:d2:b9:8c:c5:11:68:e7:0b:d4.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '2e2ehpr01,2002:2b00:2f8::2b00:2f8' (ECDSA) to the li
st of known hosts.
ehealth@2e2ehpr01's password:
Connected to 2e2ehpr01.
cygwin warning:
  MS-DOS style path detected: D:\nutcroot\usr\lib\terminfo
  Preferred POSIX equivalent is: /cygdrive/d/nutcroot/usr/lib/terminfo
  CYGWIN environment variable option "nodosfilewarning" turns off this warning.
  Consult the user's guide for more details about POSIX paths:
    http://cygwin.com/cygwin-ug-net/using.html#using-pathnames
No entry for terminal type "nutc";
using dumb terminal settings.
No entry for terminal type "nutc";
using dumb terminal settings.
sftp>
sftp> lcd c:/users/ehealth/.ssh
sftp>
sftp> cd .ssh
sftp>
sftp> put id_dsa.pub
Uploading id_dsa.pub to /cygdrive/c/users/ehealth/.ssh/id_dsa.pub
id_dsa.pub                                    100%  607     0.6KB/s   00:00
sftp>
sftp> exit
 
D:\cygwin\bin>sftp ehealth@2e2ehpr01
ehealth@2e2ehpr01's password:
 
D:\cygwin\bin>sftp ehealth@2e2ehpr01
ehealth@2e2ehpr01's password:
 
D:\cygwin\bin>sftp ehealth@2e2ehpr01
ehealth@2e2ehpr01's password:
Connected to 2e2ehpr01.
cygwin warning:
  MS-DOS style path detected: D:\nutcroot\usr\lib\terminfo
  Preferred POSIX equivalent is: /cygdrive/d/nutcroot/usr/lib/terminfo
  CYGWIN environment variable option "nodosfilewarning" turns off this warning.
  Consult the user's guide for more details about POSIX paths:
    http://cygwin.com/cygwin-ug-net/using.html#using-pathnames
No entry for terminal type "nutc";
using dumb terminal settings.
No entry for terminal type "nutc";
using dumb terminal settings.
sftp> lcd c:/users/ehealth/.ssh
sftp> cd .ssh
sftp> put id_dsa.pub
Uploading id_dsa.pub to /cygdrive/c/users/ehealth/.ssh/id_dsa.pub
id_dsa.pub                                    100%  607     0.6KB/s   00:00
sftp>
sftp>
sftp>
sftp> bye
 
D:\cygwin\bin>sftp ehealth@2e2ehpr01
ehealth@2e2ehpr01's password:
 
D:\cygwin\bin>
D:\cygwin\bin>
D:\cygwin\bin>
D:\cygwin\bin>sftp ehealth@2e2ehpr01
ehealth@2e2ehpr01's password:
 
D:\cygwin\bin>
D:\cygwin\bin>
D:\cygwin\bin>
D:\cygwin\bin>
D:\cygwin\bin>sftp ehealth@2e2ehpr01
ehealth@2e2ehpr01's password:
 
D:\cygwin\bin>sftp -v ehealth@2e2ehpr01
OpenSSH_5.9p1, OpenSSL 0.9.8r 8 Feb 2011
debug1: Reading configuration data /etc/ssh_config
debug1: Connecting to 2e2ehpr01 [2002:2b00:2f8::2b00:2f8] port 22.
debug1: Connection established.
debug1: identity file /cygdrive/c/users/ehealth/.ssh/id_rsa type -1
debug1: identity file /cygdrive/c/users/ehealth/.ssh/id_rsa-cert type -1
debug1: identity file /cygdrive/c/users/ehealth/.ssh/id_dsa type 2
debug1: identity file /cygdrive/c/users/ehealth/.ssh/id_dsa-cert type -1
debug1: identity file /cygdrive/c/users/ehealth/.ssh/id_ecdsa type -1
debug1: identity file /cygdrive/c/users/ehealth/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9
debug1: match: OpenSSH_5.9 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 9b:9a:9a:19:38:d3:80:d2:b9:8c:c5:11:68:e7:0b:d4
debug1: Host '2e2ehpr01' is known and matches the ECDSA host key.
debug1: Found key in /cygdrive/c/users/ehealth/.ssh/known_hosts:3
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interacti
ve
debug1: Next authentication method: publickey
debug1: Trying private key: /cygdrive/c/users/ehealth/.ssh/id_rsa
debug1: Offering DSA public key: /cygdrive/c/users/ehealth/.ssh/id_dsa
debug1: Authentications that can continue: publickey,password,keyboard-interacti
ve
debug1: Trying private key: /cygdrive/c/users/ehealth/.ssh/id_ecdsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interacti
ve
debug1: Next authentication method: password
ehealth@2e2ehpr01's password:
 
Config on remote server ..
 
 
D:\cygwin\bin>cd c:
 
C:\Users\ehealth>
C:\Users\ehealth>cd .ssh
C:\Users\ehealth\.ssh>ls
id_dsa.pub   known_hosts
 
C:\Users\ehealth\.ssh>edit authorized_keys2
C:\Users\ehealth\SSH~1>ls
authorized_keys2  id_dsa.pub        known_hosts
C:\Users\ehealth\SSH~1>copy /b id_dsa.pub authorized_keys2
Overwrite authorized_keys2? (Yes/No/All): Yes
        1 file(s) copied

Regards
Andy 
Sent from my iPhone

Re: Passwordless sftp with ssh 5.9 still asks for password

[Warren Young]

On 11/29/2011 2:49 PM, Andrew Erskine wrote:
>
> ssh-keygen -t dsa

"-t [keytype]" is a default flag these days, and it defaults to RSA, not 
DSA.  Unless you know for a fact you need DSA keys for some odd reason, 
leave this flag off and accept the default.

(ssh itself doesn't care what kind of key you use, as long as both ends 
have support for the key type you want to use.  Since every ssh 
implementation I've used since *forever* supports both RSA and DSA, the 
only way I can see why you'd want to use DSA is if you had some weird 
third-party tool that only understood DSA keys.)

> Accept the default
> key location, C:\Documents and Settings\nhuser\.ssh\id_dsa,

Why would that be the default location, if you are using Cygwin tools? 
Shouldn't it be something like c:\cygwin\home\nhuser\.ssh\...?  You can 
change your HOME to anything you like, but that's not the default with 
Cygwin.

> 2.  Copy the public key, id_dsa.pub, to all remote poller systems

More superannuated information.  Use the ssh-copy-id script instead of 
this manual process they're running you through.  It Does The Right 
Thing (TM) and it's included with recent versions of the openssh package 
in the default Cygwin package repo.

If you aren't using official Cygwin packages or you are insisting on 
using old stuff, you get what you deserve. :)

> 4.  Copy the public key into the authorized_keys2
> file, using the following command: copy /b id_dsa.pub
> authorized_keys2

That overwrites authorized_keys2, rather than appending to it as 
claimed.  Plus, you should be talking about authorized_keys, no numeral.

If I'm wrong and sshd *will* look for a '2' file, the problem is likely 
to be permissions.  It won't use the file if it isn't locked down, since 
that means you have only the illusion of security, and it won't play 
into a fantasy.

But if you use ssh-copy-id, you don't have to worry about any of this. 
Updating this file correctly is one of the things it does for you.

> Restart the cygwin Windows service

Not needed.  sshd re-reads authorized_keys on each login attempt.

> D:\cygwin\bin>...

You'll get a lot less friction with Cygwin tools if you use the Cygwin 
Bash shell instead of CMD.

ssh-copy-id is a shell script, so you'll have to jump through some hoops 
to even run it from a CMD shell, whereas it behaves just like any other 
command when you're running *any* Cygwin shell, not just Bash.

> Regards Andy Sent from my iPhone

<eyebrows type="through-the-roof">You typed all that on a screen 
keyboard?</eyebrows>  That's dedication.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Passwordless sftp with ssh 5.9 still asks for password

[Andrey Repin]

Greetings, Warren Young!

>> Accept the default
>> key location, C:\Documents and Settings\nhuser\.ssh\id_dsa,

> Why would that be the default location, if you are using Cygwin tools? 
> Shouldn't it be something like c:\cygwin\home\nhuser\.ssh\...?

Why?

> You can change your HOME to anything you like, but that's not the default
> with Cygwin.

Are you sure?
Last time I checked, $HOME in newly installed Cygwin point to the $USERPROFILE
Which is, quite, logical.


--
WBR,
Andrey Repin (anrdaemon@freemail.ru) 30.11.2011, <12:34>

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Passwordless sftp with ssh 5.9 still asks for password

[Csaba Raduly]

On Wed, Nov 30, 2011 at 12:17 AM, Warren Young  wrote:
> On 11/29/2011 2:49 PM, Andrew Erskine wrote:
>>
>> ssh-keygen -t dsa
>
> "-t [keytype]" is a default flag these days, and it defaults to RSA, not
> DSA.  Unless you know for a fact you need DSA keys for some odd reason,
> leave this flag off and accept the default.
>
> (ssh itself doesn't care what kind of key you use, as long as both ends have
> support for the key type you want to use.  Since every ssh implementation
> I've used since *forever* supports both RSA and DSA, the only way I can see
> why you'd want to use DSA is if you had some weird third-party tool that
> only understood DSA keys.)
>
>> Accept the default
>> key location, C:\Documents and Settings\nhuser\.ssh\id_dsa,
>
> Why would that be the default location, if you are using Cygwin tools?
> Shouldn't it be something like c:\cygwin\home\nhuser\.ssh\...?  You can
> change your HOME to anything you like, but that's not the default with
> Cygwin.

That *is* the default with Cygwin if HOME, or HOMEDRIVE and HOMEPATH,
is set in the Windows environment.


Csaba
-- 
GCS a+ e++ d- C++ ULS$ L+$ !E- W++ P+++$ w++$ tv+ b++ DI D++ 5++
The Tao of math: The numbers you can count are not the real numbers.
Life is complex, with real and imaginary parts.
"Ok, it boots. Which means it must be bug-free and perfect. " -- Linus Torvalds
"People disagree with me. I just ignore them." -- Linus Torvalds

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Passwordless sftp with ssh 5.9 still asks for password

[Corinna Vinschen]

On Nov 30 12:38, Andrey Repin wrote:
> Greetings, Warren Young!
> 
> >> Accept the default
> >> key location, C:\Documents and Settings\nhuser\.ssh\id_dsa,
> 
> > Why would that be the default location, if you are using Cygwin tools? 
> > Shouldn't it be something like c:\cygwin\home\nhuser\.ssh\...?
> 
> Why?
> 
> > You can change your HOME to anything you like, but that's not the default
> > with Cygwin.
> 
> Are you sure?
> Last time I checked, $HOME in newly installed Cygwin point to the $USERPROFILE
> Which is, quite, logical.

Just to be clear, that's not done by the Cygwin DLL.  When setting HOME,
the order is very simple:

- If $HOME is already set in the environment, leave it alone.
- Otherwise, grab home dir from /etc/passwd.
- If /etc/passwd doesn't exist or if the homedir field is empty,
  set HOME to /home/$USER.

If $HOME points to $USERPROFILE, it's because that value is set in
/etc/passwd.  mkpasswd, for instance, reads the homedir path from the
local SAM or AD and uses it, unless the -p option is used.  Otherwise,
if -p isn't used and the SAM/AD homedir is empty, the fallback is
/home/$USER again.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Passwordless sftp with ssh 5.9 still asks for password

[Andrey Repin]

Greetings, Corinna Vinschen!

>> Last time I checked, $HOME in newly installed Cygwin point to the $USERPROFILE
>> Which is, quite, logical.

> Just to be clear, that's not done by the Cygwin DLL.  When setting HOME,
> the order is very simple:

> - If $HOME is already set in the environment, leave it alone.
> - Otherwise, grab home dir from /etc/passwd.
> - If /etc/passwd doesn't exist or if the homedir field is empty,
>   set HOME to /home/$USER.

> If $HOME points to $USERPROFILE, it's because that value is set in
> /etc/passwd.  mkpasswd, for instance, reads the homedir path from the
> local SAM or AD and uses it, unless the -p option is used.

That explains it, thanks.

> Otherwise, if -p isn't used and the SAM/AD homedir is empty, the fallback is
> /home/$USER again.


--
WBR,
Andrey Repin (anrdaemon@freemail.ru) 30.11.2011, <18:17>

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple