X-Spam-Check-By: sourceware.org Date: Thu, 21 Jun 2007 10:46:56 -0300 From: gga Subject: Re: ssh configuration In-reply-to: <467A7116.2060402@cygwin.com> To: cygwin AT cygwin DOT com Message-id: <467A8150.1050401@advancedsl.com.ar> MIME-version: 1.0 Content-type: text/plain; charset=UTF-8 Content-transfer-encoding: 8BIT X-imss-version: 2.038 X-imss-result: Passed X-imss-scores: Clean:99.90000 C:2 M:3 S:5 R:5 X-imss-settings: Baseline:3 C:1 M:1 S:2 R:2 (0.5000 0.5000) References: <467A518D DOT 5040400 AT advancedsl DOT com DOT ar> <467A7116 DOT 2060402 AT cygwin DOT com> User-Agent: Thunderbird 1.5.0.12 (X11/20070604) X-IsSubscribed: yes Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Larry Hall (Cygwin) wrote: >> >> Here's the full info: >> >>> /usr/sbin/sshd.exe -d -d -d -D > > Running 'sshd.exe' as anyone other than SYSTEM (on WinXP and earlier O/S's) > is not recommended. See the email archives for a recipe about how to get > a SYSTEM-owned shell to run 'sshd.exe' from if you want to run it from a > shell. Well, this is mainly just a test to see the output of sshd. sshd will still get started by a service (presumably running under root) using cygrunsrv. > > You certainly need to ru ssh-user-config to log through the 'sshd' > server, so this is the correct thing to do. Ok... so, I've done it. Here's the new log (with ugly errors), from ssh. OpenSSH_4.6p1, OpenSSL 0.9.8e 23 Feb 2007 debug1: Reading configuration data /etc/ssh_config debug1: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to localhost [127.0.0.1] port 22. debug1: Connection established. debug1: identity file /home/gga/.ssh/identity type 0 debug3: Not a RSA1 key file /home/gga/.ssh/id_rsa. debug2: key_type_from_name: unknown key type '-----BEGIN' debug3: key_read: missing keytype debug2: key_type_from_name: unknown key type 'Proc-Type:' debug3: key_read: missing keytype debug2: key_type_from_name: unknown key type 'DEK-Info:' debug3: key_read: missing keytype debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug2: key_type_from_name: unknown key type '-----END' debug3: key_read: missing keytype debug1: identity file /home/gga/.ssh/id_rsa type 1 debug3: Not a RSA1 key file /home/gga/.ssh/id_dsa. debug2: key_type_from_name: unknown key type '-----BEGIN' debug3: key_read: missing keytype debug2: key_type_from_name: unknown key type 'Proc-Type:' debug3: key_read: missing keytype debug2: key_type_from_name: unknown key type 'DEK-Info:' debug3: key_read: missing keytype debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug2: key_type_from_name: unknown key type '-----END' debug3: key_read: missing keytype debug1: identity file /home/gga/.ssh/id_dsa type 2 ssh_exchange_identification: read: Software caused connection abort >> >> More info: >> - cygwin is installed on a FAT partition of a WinXP (SP1) box, with >> latest patches. > > Ugh! You'll need to turn off 'StrictModes' in '/etc/sshd_config' for > this to work. And that disables a large part of the security you get > from OpenSSH. You should really consider switching to NTFS if you plan > to use OpenSSH as any kind of security mechanism. > Interesting. Can you explain to me why the file system effects the security of sshd? I'll admit I don't understand this. Why does ssh care about it? >> - I have at least one user without a password. I've also gone and >> modified the ssh configuration file to add in sshd_config: >> PermitEmptyPasswords no > > Perhaps this answers the question about whether you're looking for > security from OpenSSH. ;-) Hopefully not. I really cannot ask the user to login with a password (he is too old a person) and I don't care too much about the security within the LAN. However, I do care about the security exposed to the net, and I want to make sure this account without a password does not compromise security. Under linux, PermitEmptyPasswords should do that for ssh connections. I'm hoping this is the same for cygwin. > > 'Off' for some firewalls is the same as 'On'. They can be buggy. Try > opening port 22 (assuming you didn't change this) for OpenSSH or > uninstalling the firewall as a test. > Port 22 is already open, but I'm testing without the firewall just in case, too. I'm using Filseclab Free Firewall, btw. -- Gonzalo Garramuño ggarra AT advancedsl DOT com DOT ar AMD4400 - ASUS48N-E GeForce7300GT Kubuntu Edgy -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/