OpenSSH and RSA authentication problem

OpenSSH and RSA authentication problem

[Alexander Vorobiev]

Hi!

I'm having problems with RSA authentication and OpenSSH.

relevant sshd message is:

debug: Attempting authentication for administrator.
debug: seteuid 500: Not owner
debug: seteuid 500: Not owner
Failed rsa for administrator from xx.xx.xx.xx port 3107

but i'm running sshd as an administrator:

avorobiev$ whoami
administrator

avorobiev$ cat /etc/passwd|grep Administrator
Administrator::500:513:Alexander Vorobiev...

avorobiev$ ps -ef|grep sshd
administ  1064     1  -1  12:02:58 /usr/local/sbin/sshd.exe

I'm running cygwin1-20000605.dll and my CYGWIN=binmode export ntsec title tty

what's the problem?
Thanks in advance,
Alexander
-- 
        Beware of bugs in the above code; I have only proved it correct,
        not tried it.  -- Donald E. Knuth

--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe@sourceware.cygnus.com

Re: OpenSSH and RSA authentication problem

[Corinna Vinschen]

Alexander Vorobiev wrote:
> I'm having problems with RSA authentication and OpenSSH.
> 
> relevant sshd message is:
> 
> debug: Attempting authentication for administrator.
> debug: seteuid 500: Not owner
> debug: seteuid 500: Not owner
> Failed rsa for administrator from xx.xx.xx.xx port 3107
> 
> but i'm running sshd as an administrator:
> 
> avorobiev$ whoami
> administrator
> 
> avorobiev$ cat /etc/passwd|grep Administrator
> Administrator::500:513:Alexander Vorobiev...

Did you create your passwd file with SIDs in pw_gecos?

Corinna

--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe@sourceware.cygnus.com

Re: OpenSSH and RSA authentication problem

[Alexander Vorobiev]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 605 bytes --]

Corinna Vinschen <corinna@vinschen.de>    writes:

>  Did you create your passwd file with SIDs in pw_gecos?

Yes. The interesting thing is sshd works fine when I switch it to use
password authentication (I made all necessary adjustments to my NT
user permissions). But I really need to get it to work with RSA auth.

Alexander

-- 
"No matter how much money you spend, you can't make a racehorse out of
 a pig. You can, however, make an awfully fast pig."
 -- An old saying about program efficiency

--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe@sourceware.cygnus.com

Re: OpenSSH and RSA authentication problem

[Corinna Vinschen]

Alexander Vorobiev wrote:
> 
> Corinna Vinschen <corinna@vinschen.de>    writes:
> 
> >  Did you create your passwd file with SIDs in pw_gecos?
> 
> Yes. The interesting thing is sshd works fine when I switch it to use
> password authentication (I made all necessary adjustments to my NT
> user permissions). But I really need to get it to work with RSA auth.

Sorry for that question but are you sure that your RSA
setup is correct? Did you create your identity files
correct?

Anyway. Please send the output of sshd -d and ssh -V in
case of RSA authentication. Maybe that there is some
interesting info.

Corinna

--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe@sourceware.cygnus.com

Re: OpenSSH and RSA authentication problem

[Alexander Vorobiev]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 3749 bytes --]

Corinna Vinschen <corinna@vinschen.de>    writes:
>  Anyway. Please send the output of sshd -d and ssh -V in
>  case of RSA authentication. Maybe that there is some
>  interesting info.

avorobiev$ /usr/local/sbin/sshd.exe -d
debug: sshd version OpenSSH-1.2.2
debug: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
Generating 768 bit RSA key.
RSA key generation complete.
debug: Server will not fork when running in debugging mode.
Connection from 127.0.0.1 port 4085
debug: Client protocol version 1.5; client software version OpenSSH-1.2.2
debug: Sent 768 bit public key and 1024 bit host key.
debug: Encryption type: 3des
debug: Received session key; encryption turned on.
debug: Installing crc compensation attack detector.
debug: Attempting authentication for administrator.
debug: seteuid 500: Not owner
debug: seteuid 500: Not owner
Failed rsa for administrator from 127.0.0.1 port 4085
Connection closed by 127.0.0.1
debug: Calling cleanup 0x411ebc(0x0)
avorobiev$

and here is what client displays (the same machine):

avorobiev$ slogin -v localhost
SSH Version OpenSSH-1.2.2, protocol version 1.5.
Compiled with SSL.
debug: Reading configuration data /usr/local/etc/ssh_config
debug: Applying options for *
debug: seteuid 500: Not owner
debug: ssh_connect: getuid 500 geteuid 500 anon 1
debug: Connecting to localhost [127.0.0.1] port 22.
debug: seteuid 500: Not owner
debug: seteuid 500: Not owner
debug: seteuid 500: Not owner
debug: seteuid 500: Not owner
debug: Connection established.
debug: setuid 500: Not owner
debug: Remote protocol version 1.5, remote software version OpenSSH-1.2.2
debug: Waiting for server public key.
debug: Received server public key (768 bits) and host key (1024 bits).
debug: Forcing accepting of host key for loopback/localhost.
debug: Encryption type: 3des
debug: Sent encrypted session key.
debug: Installing crc compensation attack detector.
debug: Received encrypted confirmation.
debug: Trying RSA authentication with key 'administrator@NTBOX'
debug: Server refused our key.
Permission denied.
debug: Calling cleanup 0x40bb1c(0x0)
avorobiev$

and here is what client displays when I try to connect from unix box
(real ip addresses and machine names changed):

slogin xx.xx.xx.xx -l administrator -v
SSH Version 1.2.27 [hppa1.1-hp-hpux10.20], protocol version 1.5.
Standard version.  Does not use RSAREF.
unixbox: Reading configuration data /homedirs/avorobiev/.ssh/config
unixbox: Applying options for *
unixbox: ssh_connect: getuid 1799 geteuid 1799 anon 1
unixbox: Connecting to xx.xx.xx.xx port 22.
unixbox: Connection established.
unixbox: Remote protocol version 1.5, remote software version OpenSSH-1.2.2
unixbox: Waiting for server public key.
unixbox: Received server public key (768 bits) and host key (1024 bits).
unixbox: Host 'xx.xx.xx.xx' is known and matches the host key.
unixbox: Initializing random; seed file /homedirs/avorobiev/.ssh/random_seed
unixbox: IDEA not supported, using 3des instead.
unixbox: Encryption type: 3des
unixbox: Sent encrypted session key.
unixbox: Installing crc compensation attack detector.
unixbox: Received encrypted confirmation.
unixbox: No agent.
unixbox: Trying RSA authentication with key 'avorobiev@UNIXBOX'
unixbox: Server refused our key.
Permission denied.

in the latter case sshd -d outputs exactly the same messages as in the
former case (connection from localhost) but with different ip
addresses of course

all RSA-related files (identity, authorized_hosts etc) seem to be
ok. It all looks like some permission problem...


Alexander

--
Narrowness of experience leads to narrowness of imagination
        -- Rob Pike

--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe@sourceware.cygnus.com

Re: OpenSSH and RSA authentication problem

[Corinna Vinschen]

There's no hint for a specific problem in sshd but it
seems as if you didn't cat your identity.pub file to
authorized_keys. At least the message is identical.
If it would be a permission problem, eg. your authorized_keys
file isn't readable by you, the debug output of ssh -v
would contain:

debug: Remote: Could not open /home/corinna/.ssh/authorized_keys for
reading.
debug: Remote: If your home is on an NFS volume, it may need to be
world-readable

Note that the below output is exactly(!) the same if
your authorized_keys file doesn't exist.


Corinna

Alexander Vorobiev wrote:
> 
> Corinna Vinschen <corinna@vinschen.de>    writes:
> >  Anyway. Please send the output of sshd -d and ssh -V in
> >  case of RSA authentication. Maybe that there is some
> >  interesting info.
> 
> avorobiev$ /usr/local/sbin/sshd.exe -d
> debug: sshd version OpenSSH-1.2.2
> debug: Bind to port 22 on 0.0.0.0.
> Server listening on 0.0.0.0 port 22.
> Generating 768 bit RSA key.
> RSA key generation complete.
> debug: Server will not fork when running in debugging mode.
> Connection from 127.0.0.1 port 4085
> debug: Client protocol version 1.5; client software version OpenSSH-1.2.2
> debug: Sent 768 bit public key and 1024 bit host key.
> debug: Encryption type: 3des
> debug: Received session key; encryption turned on.
> debug: Installing crc compensation attack detector.
> debug: Attempting authentication for administrator.
> debug: seteuid 500: Not owner
> debug: seteuid 500: Not owner
> Failed rsa for administrator from 127.0.0.1 port 4085
> Connection closed by 127.0.0.1
> debug: Calling cleanup 0x411ebc(0x0)
> avorobiev$
> 
> and here is what client displays (the same machine):
> 
> avorobiev$ slogin -v localhost
> SSH Version OpenSSH-1.2.2, protocol version 1.5.
> Compiled with SSL.
> debug: Reading configuration data /usr/local/etc/ssh_config
> debug: Applying options for *
> debug: seteuid 500: Not owner
> debug: ssh_connect: getuid 500 geteuid 500 anon 1
> debug: Connecting to localhost [127.0.0.1] port 22.
> debug: seteuid 500: Not owner
> debug: seteuid 500: Not owner
> debug: seteuid 500: Not owner
> debug: seteuid 500: Not owner
> debug: Connection established.
> debug: setuid 500: Not owner
> debug: Remote protocol version 1.5, remote software version OpenSSH-1.2.2
> debug: Waiting for server public key.
> debug: Received server public key (768 bits) and host key (1024 bits).
> debug: Forcing accepting of host key for loopback/localhost.
> debug: Encryption type: 3des
> debug: Sent encrypted session key.
> debug: Installing crc compensation attack detector.
> debug: Received encrypted confirmation.
> debug: Trying RSA authentication with key 'administrator@NTBOX'
> debug: Server refused our key.
> Permission denied.
> debug: Calling cleanup 0x40bb1c(0x0)
> avorobiev$
> 
> and here is what client displays when I try to connect from unix box
> (real ip addresses and machine names changed):
> 
> slogin xx.xx.xx.xx -l administrator -v
> SSH Version 1.2.27 [hppa1.1-hp-hpux10.20], protocol version 1.5.
> Standard version.  Does not use RSAREF.
> unixbox: Reading configuration data /homedirs/avorobiev/.ssh/config
> unixbox: Applying options for *
> unixbox: ssh_connect: getuid 1799 geteuid 1799 anon 1
> unixbox: Connecting to xx.xx.xx.xx port 22.
> unixbox: Connection established.
> unixbox: Remote protocol version 1.5, remote software version OpenSSH-1.2.2
> unixbox: Waiting for server public key.
> unixbox: Received server public key (768 bits) and host key (1024 bits).
> unixbox: Host 'xx.xx.xx.xx' is known and matches the host key.
> unixbox: Initializing random; seed file /homedirs/avorobiev/.ssh/random_seed
> unixbox: IDEA not supported, using 3des instead.
> unixbox: Encryption type: 3des
> unixbox: Sent encrypted session key.
> unixbox: Installing crc compensation attack detector.
> unixbox: Received encrypted confirmation.
> unixbox: No agent.
> unixbox: Trying RSA authentication with key 'avorobiev@UNIXBOX'
> unixbox: Server refused our key.
> Permission denied.
> 
> in the latter case sshd -d outputs exactly the same messages as in the
> former case (connection from localhost) but with different ip
> addresses of course
> 
> all RSA-related files (identity, authorized_hosts etc) seem to be
> ok. It all looks like some permission problem...
> 
> Alexander
> 
> --
> Narrowness of experience leads to narrowness of imagination
>         -- Rob Pike
> 
> --
> Want to unsubscribe from this list?
> Send a message to cygwin-unsubscribe@sourceware.cygnus.com

-- 
Corinna Vinschen
Cygwin Developer
Cygnus Solutions, a Red Hat company

--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe@sourceware.cygnus.com

Re: OpenSSH and RSA authentication problem

[Alexander Vorobiev]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 1904 bytes --]

You are right! Thanks

Corinna Vinschen <corinna@vinschen.de>    writes:

>  Note that the below output is exactly(!) the same if
>  your authorized_keys file doesn't exist.

There was a misspelling in the file name. I corrected it but sshd
still doesn't work, it outputs the following

debug: Attempting authentication for administrator.
debug: seteuid 500: Not owner
RSA authentication refused for administrator: bad ownership or modes for '/cygdr
ive/c/avorobiev/.ssh/authorized_keys'.
debug: seteuid 500: Not owner
Failed rsa for administrator from 127.0.0.1 port 2668
Connection closed by 127.0.0.1

Well, NOW it definitely looks like a permission problem. Changing
permissions to 600 didnt help, so I decided to start from scratch and
regenerate passwd and groups files. But using mkpasswd I cant get
correct passwd record for me. Unfortunately I know little about NT
security scheme so the following is what i have now:

(I changed my real login name)
I login to the lan (NT domain and Netware tree) and my machine using
NWClient login dialog using "avorobiev" as user name. 

So _without_ passwd and groups files:

avorobiev$ id
uid=500(avorobiev) gid=544(Administrators) groups=544(Administrators)

neither mkpasswd -l nor mkpasswd -d DOMAIN generate user record with
uid=500 and gid=544 (or with username avorobiev)

mkpasswd -l gives me (among others)
Administrator::500:513:,S-1-...
mkpasswd -d DOMAIN doesn't generate a record with uid=500 at all

mkgroup -l gives me (among others)
None:S-...:513:
Administrators:S-...:544:

mkgroup -d doesn't generate group records with gid either 513 or 544
(it generates many others though)

So i'm a little confused - how can i get correct sid for my uid/gid
combination? What's a proper way of getting correct passwd and groups
files?

Alexander

--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe@sourceware.cygnus.com