Can't ssh to cygwin after switching sign-in to Windows Hello PIN

Can't ssh to cygwin after switching sign-in to Windows Hello PIN

[Henry S. Thompson]

Running cygwin 3.2.0-1 on Windows 10 Pro 21H1

Since changing my login from local User to Windows Hello PIN, I can't
ssh in to my machine using a password:  neither the PIN nor my old
password work:

  1) If from my machine I do
          ssh -o PreferredAuthentications=password localhost
     or
          ssh -o PreferredAuthentications=password [me]@[host]
     or
          ssh -o PreferredAuthentications=password U-[HOST]\\[me]@[host]

     I get "permission denied".

  2) If I try any of those from another machine, it hangs (but works
     w/o the "-o PreferredAuthentications=password", i.e. using a
     key).  By 'hangs' I mean that having typed the PIN and Enter,
     nothing happens, including no output if I include -v -v -v.

     Weirder still, if I try using strace, communication happens and I
     get "permission denied"

I have reinstalled openssh, removed the cygsshd service, re-run
ssh-host-config and restarted the service to no avail.

I only need password login to install new keys, and obviously there
are workarounds for that, but if there's just something I'm missing
I'd like to fix it.

Are there other things I need to worry about having switched to using
a PIN?

Thanks,

ht
-- 
       Henry S. Thompson, School of Informatics, University of Edinburgh
      10 Crichton Street, Edinburgh EH8 9AB, SCOTLAND -- (44) 131 650-4440
                Fax: (44) 131 650-4587, e-mail: ht@inf.ed.ac.uk
                       URL: http://www.ltg.ed.ac.uk/~ht/
 [mail from me _always_ has a .sig like this -- mail without it is forged spam]

The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

Re: Can't ssh to cygwin after switching sign-in to Windows Hello PIN

[Andrey Repin]

Greetings, Henry S. Thompson!

> Running cygwin 3.2.0-1 on Windows 10 Pro 21H1

> Since changing my login from local User to Windows Hello PIN, I can't
> ssh in to my machine using a password:  neither the PIN nor my old
> password work:

>   1) If from my machine I do
>           ssh -o PreferredAuthentications=password localhost
>      or
>           ssh -o PreferredAuthentications=password [me]@[host]
>      or
>           ssh -o PreferredAuthentications=password U-[HOST]\\[me]@[host]

>      I get "permission denied".

>   2) If I try any of those from another machine, it hangs (but works
>      w/o the "-o PreferredAuthentications=password", i.e. using a
>      key).  By 'hangs' I mean that having typed the PIN and Enter,
>      nothing happens, including no output if I include -v -v -v.

>      Weirder still, if I try using strace, communication happens and I
>      get "permission denied"

> I have reinstalled openssh, removed the cygsshd service, re-run
> ssh-host-config and restarted the service to no avail.

> I only need password login to install new keys, and obviously there
> are workarounds for that, but if there's just something I'm missing
> I'd like to fix it.

> Are there other things I need to worry about having switched to using
> a PIN?

Did you try to `passwd -R` as explained in
https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview ?


-- 
With best regards,
Andrey Repin
Monday, September 13, 2021 20:17:57

Sorry for my terrible english...

Re: Can't ssh to cygwin after switching sign-in to Windows Hello PIN

[Henry S. Thompson]

Andrey Repin writes:

> Greetings, Henry S. Thompson!
>
>> Running cygwin 3.2.0-1 on Windows 10 Pro 21H1
>
>> Since changing my login from local User to Windows Hello PIN, I can't
>> ssh in to my machine using a password:  neither the PIN nor my old
>> password work:
>> ...

> Did you try to `passwd -R` as explained in
> https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview ?

I did read that bit, but it says "When this user tries to login using
ssh with public key authentication".  As my email says, using public
key authentication works just fine.  It's when I explicitly supply a
password that it doesn't, so I didn't suppose there was any point in
trying.

In any case, I _have_ now tried and it doesn't help.

Thanks,

ht
-- 
       Henry S. Thompson, School of Informatics, University of Edinburgh
      10 Crichton Street, Edinburgh EH8 9AB, SCOTLAND -- (44) 131 650-4440
                Fax: (44) 131 650-4587, e-mail: ht@inf.ed.ac.uk
                       URL: http://www.ltg.ed.ac.uk/~ht/
 [mail from me _always_ has a .sig like this -- mail without it is forged spam]

The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

Re: Can't ssh to cygwin after switching sign-in to Windows Hello PIN

[Henry S. Thompson]

Henry S. Thompson via Cygwin writes:

> Running cygwin 3.2.0-1 on Windows 10 Pro 21H1
>
> Since changing my login from local User to Windows Hello PIN, I can't
> ssh in to my machine using a password:  neither the PIN nor my old
> password work:
>
>   1) If from my machine I do
>           ssh -o PreferredAuthentications=password localhost
>      or
>           ssh -o PreferredAuthentications=password [me]@[host]
>      or
>           ssh -o PreferredAuthentications=password U-[HOST]\\[me]@[host]
>
>      I get "permission denied".
>
>   2) If I try any of those from another machine, it hangs (but works
>      w/o the "-o PreferredAuthentications=password", i.e. using a
>      key).  By 'hangs' I mean that having typed the PIN and Enter,
>      nothing happens, including no output if I include -v -v -v.

(2) turns out to have been a more pervasive problem with the mintty
instance I tested from.  Using a new instance the same fails as (1)
occur.

I'd be grateful if anyone who has switched to a Windows Hello Pin can
try to reproduce and report,

Thanks,

ht
-- 
       Henry S. Thompson, School of Informatics, University of Edinburgh
      10 Crichton Street, Edinburgh EH8 9AB, SCOTLAND -- (44) 131 650-4440
                Fax: (44) 131 650-4587, e-mail: ht@inf.ed.ac.uk
                       URL: http://www.ltg.ed.ac.uk/~ht/
 [mail from me _always_ has a .sig like this -- mail without it is forged spam]

The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

Re: Can't ssh to cygwin after switching sign-in to Windows Hello PIN

[Brian Inglis]

On 2021-09-12 16:05, Henry S. Thompson via Cygwin wrote:
> Running cygwin 3.2.0-1 on Windows 10 Pro 21H1
> Since changing my login from local User to Windows Hello PIN, I can't
> ssh in to my machine using a password:  neither the PIN nor my old
> password work:
>    1) If from my machine I do
>            ssh -o PreferredAuthentications=password localhost
>       or
>            ssh -o PreferredAuthentications=password [me]@[host]
>       or
>            ssh -o PreferredAuthentications=password U-[HOST]\\[me]@[host]
>       I get "permission denied".
>    2) If I try any of those from another machine, it hangs (but works
>       w/o the "-o PreferredAuthentications=password", i.e. using a
>       key).  By 'hangs' I mean that having typed the PIN and Enter,
>       nothing happens, including no output if I include -v -v -v.
>       Weirder still, if I try using strace, communication happens and I
>       get "permission denied"
> I have reinstalled openssh, removed the cygsshd service, re-run
> ssh-host-config and restarted the service to no avail.
> I only need password login to install new keys, and obviously there
> are workarounds for that, but if there's just something I'm missing
> I'd like to fix it.
> Are there other things I need to worry about having switched to using
> a PIN?

Checkout whatever you can find out from Microsoft about connecting to 
Windows using Windows OpenSSH and Hello.

You may have to use SSH as intended:
add your host key to remote {~/.ssh,/etc/ssh}/known_hosts;
and your public key to remote ~/.ssh/authorized_keys{,2};
locally do the equivalent of eval `ssh-agent` and ssh-add ~/.ssh/id_...; 
then use your client to connect.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
[Data in binary units and prefixes, physical quantities in SI.]

Re: Can't ssh to cygwin after switching sign-in to Windows Hello PIN

[Henry S. Thompson]

Brian Inglis writes:

> On 2021-09-12 16:05, Henry S. Thompson via Cygwin wrote:
>> Running cygwin 3.2.0-1 on Windows 10 Pro 21H1
>> Since changing my login from local User to Windows Hello PIN, I can't
>> ssh in to my machine using a password:  neither the PIN nor my old
>> password work:
>> ...
>
> Checkout whatever you can find out from Microsoft about connecting to
> Windows using Windows OpenSSH and Hello.

Thanks, will do.

> You may have to use SSH as intended:
> ...

As noted in my original post, I can and have set up public-key-based
connections.

The problem arose because my normal approach to getting my public key
from new Machine A to old Machine B is, once and once only, to use
password-authentication to move the public key.

I raised the issue here, even though I have alreadly worked around it,
in case there were others for whom public-key was unfamiliar or
otherwise problematic, and, frankly, because it seems like a bug, and
if Microsoft succeeds in moving more people to using PINs for login,
it will surely begin to bite others...

ht
-- 
       Henry S. Thompson, School of Informatics, University of Edinburgh
      10 Crichton Street, Edinburgh EH8 9AB, SCOTLAND -- (44) 131 650-4440
                Fax: (44) 131 650-4587, e-mail: ht@inf.ed.ac.uk
                       URL: http://www.ltg.ed.ac.uk/~ht/
 [mail from me _always_ has a .sig like this -- mail without it is forged spam]

The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

Re: Can't ssh to cygwin after switching sign-in to Windows Hello PIN

[L A Walsh]

On 2021/09/15 12:53, Henry S. Thompson via Cygwin wrote:
> frankly, it seems like a bug, and
> if Microsoft succeeds in moving more people to using PINs for login,
> it will surely begin to bite others...
----

Isn't the idea of using the PIN login to get rid of the use (and the
ability) to use passwords?

I agree with you that it is likely to cause problems, but creating
a block to using a password seems to be intentional.

It's a bit like some of the problems with the 'Oauth' system where
one provider (like google) provides a way to allow you to login to
other sites using your google authentication, but not requiring you
give the "other site" a password.  When I first read about it though,
it seemed like the authorization process required web access for
the authorization to be exchanged, but I'm not 100% sure about that.
If it required web-auth, that has its own set of problems.

Re: Can't ssh to cygwin after switching sign-in to Windows Hello PIN

[Henry S. Thompson]

L A Walsh writes:

> On 2021/09/15 12:53, Henry S. Thompson via Cygwin wrote:
>> frankly, it seems like a bug, and
>> if Microsoft succeeds in moving more people to using PINs for login,
>> it will surely begin to bite others...
> ----
>
> Isn't the idea of using the PIN login to get rid of the use (and the
> ability) to use passwords?

Indeed.  Just not clear if this was _intended_ to make public key and
gssapi the only authentication routes in via ssh...

Further to Brian Inglis's suggestion to see what Windows OpenSSH has
to offer, the answer is, not much.  There are some open issues
which include discussion of possible Windows Hello into Windows
OpenSSH [1], but they haven't made much headway for some time...

ht

[1] https://github.com/PowerShell/Win32-OpenSSH/issues/1804#issuecomment-850500721
-- 
       Henry S. Thompson, School of Informatics, University of Edinburgh
      10 Crichton Street, Edinburgh EH8 9AB, SCOTLAND -- (44) 131 650-4440
                Fax: (44) 131 650-4587, e-mail: ht@inf.ed.ac.uk
                       URL: http://www.ltg.ed.ac.uk/~ht/
 [mail from me _always_ has a .sig like this -- mail without it is forged spam]

The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.