Date: Thu, 21 Jun 2007 10:59:50 -0300
From: gga <ggarra AT advancedsl DOT com DOT ar>
Subject: Re: ssh configuration
In-reply-to: <467A7116.2060402@cygwin.com>
To: cygwin AT cygwin DOT com
Message-id: <467A8456.6030402@advancedsl.com.ar>
MIME-version: 1.0
Content-type: text/plain; charset=UTF-8
Content-transfer-encoding: 8BIT
References: <467A518D DOT 5040400 AT advancedsl DOT com DOT ar> <467A7116 DOT 2060402 AT cygwin DOT com>
User-Agent: Thunderbird 1.5.0.12 (X11/20070604)
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com

Larry Hall (Cygwin) wrote:
>>
>> Here's the full info:
>>
>>> /usr/sbin/sshd.exe -d -d -d -D
>
> Running 'sshd.exe' as anyone other than SYSTEM (on WinXP and earlier
O/S's)
> is not recommended.  See the email archives for a recipe about how to get
> a SYSTEM-owned shell to run 'sshd.exe' from if you want to run it from a
> shell.

Well, this is mainly just a test to see the output of sshd.  sshd will
still get started by a service (presumably running under root) using
cygrunsrv.

>
> You certainly need to ru ssh-user-config to log through the 'sshd'
> server, so this is the correct thing to do.

Ok... so, I've done it.  Here's the new log (with ugly errors), from ssh.


OpenSSH_4.6p1, OpenSSL 0.9.8e 23 Feb 2007
debug1: Reading configuration data /etc/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/gga/.ssh/identity type 0
debug3: Not a RSA1 key file /home/gga/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'Proc-Type:'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'DEK-Info:'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/gga/.ssh/id_rsa type 1
debug3: Not a RSA1 key file /home/gga/.ssh/id_dsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'Proc-Type:'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'DEK-Info:'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/gga/.ssh/id_dsa type 2
ssh_exchange_identification: read: Software caused connection abort

>>
>> More info:
>> - cygwin is installed on a FAT partition of a WinXP (SP1) box, with
>> latest patches.
> 
> Ugh!  You'll need to turn off 'StrictModes' in '/etc/sshd_config' for
> this to work.  And that disables a large part of the security you get
> from OpenSSH.  You should really consider switching to NTFS if you plan
> to use OpenSSH as any kind of security mechanism.
> 

It was already off in the log I sent.  Why does it affect security so
badly (other than of course allowing any intruder to change the .ssh
dotfiles for any account if he logs in)?
My idea is to have openssh working only within my lan with this box (ie.
ignore outside connections thanks to my firewall/hosts.deny file).


>> - I have at least one user without a password.  I've also gone and
>> modified the ssh configuration file to add in sshd_config:
>>      PermitEmptyPasswords no
> 
> Perhaps this answers the question about whether you're looking for
> security from OpenSSH. ;-)

Hopefully not.  I really cannot ask the user to login with a password
(he is too old a person) and I don't care too much about the security
within the LAN.
However, I do care about the security exposed to the net, and I want to
make sure this account without a password does not compromise security.
 Under linux, PermitEmptyPasswords should do that for ssh connections.
I'm hoping this is the same for cygwin.

> 
> 'Off' for some firewalls is the same as 'On'.  They can be buggy.  Try
> opening port 22 (assuming you didn't change this) for OpenSSH or
> uninstalling the firewall as a test.
> 

Port 22 is already open, but I'm testing without the firewall just in
case, too.  I'm using Filseclab Free Firewall, btw.


-- 
Gonzalo Garramuño
ggarra AT advancedsl DOT com DOT ar

AMD4400 - ASUS48N-E
GeForce7300GT
Kubuntu Edgy

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/