X-Spam-Check-By: sourceware.org
To: cygwin AT cygwin DOT com
From: =?ISO-8859-1?Q?Ren=E9_Berber?= <r DOT berber AT computer DOT org>
Subject:  Re: sshd+ssh localhost connects, but don't reach the shell
Date:  Tue, 30 May 2006 18:00:44 -0500
Lines: 111
Message-ID: <e5iiqq$u5g$1@sea.gmane.org>
References:  <e5hv5c$f7c$1 AT sea DOT gmane DOT org> <BAY114-F39E055D44FACBC35870F4CBF920 AT phx DOT gbl>
Mime-Version:  1.0
Content-Type:  text/plain; charset=ISO-8859-1
Content-Transfer-Encoding:  quoted-printable
User-Agent: Thunderbird 1.5.0.2 (Windows/20060308)
In-Reply-To: <BAY114-F39E055D44FACBC35870F4CBF920@phx.gbl>
OpenPGP: url=hkp://random.sks.keyserver.penguin.de
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

Vilar Camara wrote:
[snip]
> Now that's strange: in that verbose list there is no program listening
> on port 22.  The only reference to sshd is in the following block:
>=20
>  UDP    127.0.0.1:2186         *:*                                    2848
>  C:\WINDOWS\system32\ZoneLabs\vetredir.dll
>  C:\WINDOWS\system32\imslsp.dll
>  C:\WINDOWS\system32\ws2_32.dll
>  C:\cygwin\bin\cygwin1.dll
>  [sshd.exe]
>=20
> The first DLL is a ZoneAlarm (firewall) one. This is curious, because
> that DLL is around even if the firewall is off. (The service related to
> ZA's firewall is called "TrueVector" and it is stopped in the Services
> list.) The port (2186) varies from run to run.

Your test is better that mine, when I tried 'netstat -anbv | grep -B 4 -A 2
"ssh"' I got:

...
>   TCP    0.0.0.0:22             0.0.0.0:0              LISTENING       20=
00
>   [sshd.exe]
...
> --
>=20
>   UDP    127.0.0.1:1051         *:*                                    20=
00
>   C:\WINDOWS\system32\ws2_32.dll
>   C:\Cygwin\bin\cygwin1.dll
>   C:\cygwin\usr\sbin\sshd.exe
>   -- unknown component(s) --
>   C:\WINDOWS\system32\kernel32.dll
>   [sshd.exe]

So the difference is very significant: sshd was not able to bind to port 22=
, we
don't really know what program is listening to that port, and the UDP port =
is
probably used by cygrunsvr (the program used to control sshd as service --
that's how services are installed under Cygwin)... and there is the dreaded
firewall dll.

> But it appears in: netstat -an | grep ":22"
>=20
>  TCP    0.0.0.0:22             0.0.0.0:0              LISTENING
>=20
> Not all entries listed by -an appear on -anbv.

Perhaps the firewall is using some stealth trick, I don't know.

>> Also check: ps -a | grep sshd
>> before and during a test.  Is the UID 18? does the process have any
>> suspend flags?
>=20
> Changed to "ps -a | grep ssh" to include the client.
> Before test:
>=20
>     3676     436    3676       2392    ?   18 17:52:14 /usr/sbin/sshd
>=20
> During test:
>=20
>     3676     436    3676       2392    ?   18 17:52:14 /usr/sbin/sshd
> I    4060     604    4060       2512    0 1003 17:54:12 /usr/bin/ssh
>     1560    3676    1560       2812    ?   18 17:54:12 /usr/sbin/sshd
>=20
> That "I" on the client is significant, but as far as we've been
> discussing this is somewhat expected (but not desired :-( ).

It is bad, but it is as we suspected: the client is connected to something =
and
it is waiting for input.  I think it is not connected to the sshd server but
something that passes the connection later to sshd which spawns the 2nd sshd
that should continue using another port... and that probably never happens =
so
the client is kept waiting.

[snip]
> It can't proceed: it stops after the message "strace: couldn't attach to
> pid 3844 for debugging".

3844?  You mean 1560 or you are reporting about two different tests.

> Doing strace to the original sshd.exe (the non-spawned one) reveals that
> tons of things happen when I run "ssh localhost", but I can't interpret
> all those gibberish output.

Not gibberish, probably Windows function calls (OK, close to gibberish) but=
 the
main server is not interesting, it just spawns the real server.

> After all, I'm really suspicious about that ZoneAlarm DLL. But I think I
> can only purge it if I uninstall the firewall. Oh my.

Mmmm, OK everyone in favor of "Nuke the firewall" raise their hands :-)

Just kidding!  Do both of your computers have the same firewall?
--=20
Ren=E9 Berber


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/