Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Date: Thu, 19 Jun 2003 15:15:54 +0100
From: Rob Andrews <rob AT jml DOT net>
To: cygwin AT cygwin DOT com
Subject: Can't use pubkey auth with OpenSSH 3.6p1 under Windows Server 2003.
Message-ID: <20030619141554.GA17304@jml.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4i

Having installed cygwin network install and OpenSSH 3.6p1 on Windows Server
2003, I've come across a problem.

Previously, under Windows 2000 Advanced Server, we'd been able to use
pubkey authentication, but now it seems to fail, leaving password
authentication the only option (not great for automation purposes).

Notably, when using password auth:

[~] -> ssh -l administrator 192.168.1.34
administrator AT 192 DOT 168 DOT 1 DOT 34's password:
Fanfare!!!
You are successfully logged in to this server!!!

Administrator AT scorpion ~
$
[snip]

But when specifying a password-less key:

[~] -> ssh -i mykey -l administrator 192.168.1.34
Fanfare!!!
You are successfully logged in to this server!!!
Connection to 192.168.1.34 closed.

Here's a complete output of ssh -v:

[~] -> ssh -v -i mykey -l administrator 192.168.1.34
OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: restore_uid
debug1: ssh_connect: getuid 506 geteuid 0 anon 1
debug1: Connecting to 192.168.1.34 [192.168.1.34] port 22.
debug1: temporarily_use_uid: 506/300 (e=0)
debug1: restore_uid
debug1: temporarily_use_uid: 506/300 (e=0)
debug1: restore_uid
debug1: Connection established.
debug1: read PEM private key done: type DSA
debug1: read PEM private key done: type RSA
debug1: identity file mykey type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.6.1p1
debug1: match: OpenSSH_3.6.1p1 pat OpenSSH*
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.1p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 120/256
debug1: bits set: 1595/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '192.168.1.34' is known and matches the RSA host key.
debug1: Found key in /home/rob/.ssh/known_hosts:24
debug1: bits set: 1583/3191
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue: publickey,password,keyboard-interactive
debug1: next auth method to try is publickey
debug1: userauth_pubkey_agent: testing agent key /home/rob/.ssh/id_dsa
debug1: authentications that can continue: publickey,password,keyboard-interactive
debug1: try privkey: mykey
debug1: read PEM private key done: type RSA
debug1: ssh-userauth2 successful: method publickey
debug1: channel 0: new [client-session]
debug1: send channel open 0
debug1: Entering interactive session.
debug1: ssh_session2_setup: id 0
debug1: channel request 0: pty-req
debug1: channel request 0: shell
debug1: fd 3 setting TCP_NODELAY
debug1: channel 0: open confirm rwindow 0 rmax 32768
Fanfare!!!
You are successfully logged in to this server!!!
debug1: channel 0: rcvd eof
debug1: channel 0: output open -> drain
debug1: channel 0: obuf empty
debug1: channel 0: close_write
debug1: channel 0: output drain -> closed
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: rcvd close
debug1: channel 0: close_read
debug1: channel 0: input open -> closed
debug1: channel 0: almost dead
debug1: channel 0: gc: notify user
debug1: channel 0: gc: user detached
debug1: channel 0: send close
debug1: channel 0: is dead
debug1: channel 0: garbage collecting
debug1: channel_free: channel 0: client-session, nchannels 1
Connection to 192.168.1.34 closed.
debug1: Transferred: stdin 0, stdout 0, stderr 36 bytes in 0.3 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 140.2
debug1: Exit status 255

Whilst the Win2k3 event log says:
sshd: PID 2552: Accepted publickey for administrator from 192.168.1.155 port 38555 ssh2.
sshd: PID 2828: Accepted publickey for administrator from 192.168.1.155 port 38555 ssh2.
sshd: PID 2864: fatal: setuid 544: Permission denied.
sshd: PID 2552: syslogin_perform_logout: logout() returned an error.

Is there something *really* stupid that I'm missing? All necessary keys are in
place, /etc/passwd and /etc/group have been created correctly and checked
against the output of mkpasswd/mkgroup, and I can ssh in using password auth,
but I completely fail to be able to use key-based authentication.

-- 
rob                                                          rob AT jml DOT net

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/