X-Recipient: archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status: No, hits=3.6 required=5.0	tests=AWL,BAYES_00,BOTNET,RCVD_IN_DNSWL_NONE,WEIRD_QUOTING
X-Spam-Check-By: sourceware.org
Message-id: <4F2A1363.6020206@cygwin.com>
Date: Wed, 01 Feb 2012 23:38:59 -0500
From: "Larry Hall (Cygwin)" <reply-to-list-only-lh AT cygwin DOT com>
Reply-to: cygwin AT cygwin DOT com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0) Gecko/20111222 Thunderbird/9.0.1
MIME-version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: IBM ssh gateway
References: <201202011046 DOT 40681 DOT swampdog AT ntlworld DOT com> <201202011442 DOT 50193 DOT swampdog AT ntlworld DOT com> <4F297EA3 DOT 20008 AT cygwin DOT com> <201202012311 DOT 29012 DOT swampdog AT ntlworld DOT com>
In-reply-to: <201202012311.29012.swampdog@ntlworld.com>
Content-type: text/plain; charset=ISO-8859-1; format=flowed
Content-transfer-encoding: 7bit
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On 2/1/2012 6:11 PM, Guy Harrison wrote:
> On Wednesday 01 February 2012 18:04:19 Larry Hall (Cygwin) wrote:
>> On 2/1/2012 9:42 AM, Guy Harrison wrote:
>>> Hi Ryan,
>>>
>>> On Wednesday 01 February 2012 13:43:32 Ryan Johnson wrote:
>>>> On 01/02/2012 5:46 AM, Guy Harrison wrote:
>>>>> Hi Folks,
>>>>>
>>>>> Can anyone help interpret this? I am fairly certain the problem lies
>>>>> with IBM but I am no crypto expert. Is (for instance) the server
>>>>> rejecting the connection because (say) it does not understand ECDSA?
>>>>> Unfortunately I do not have an older instance of cygwin ssh to try
>>>>> that theory out. The failure is recent. I upgraded my cygwin
>>>>> instances over xmas.
>>>>>
>>>>> My primary concern is that the latter (linux) connection (after ~~~)
>>>>> may fail after a future upgrade.
>>>>
>>>> I would definitely check with your local network security folks. When
>>>> I was last at IBM I had trouble connecting from a certain machine --
>>>> just that one -- and nobody could figure out why. Finally, it turned
>>>> out that I had a lot of locales installed and the long list of
>>>> supported languages announced by my ssh client triggered some firewall
>>>> rule.
>>>
>>> Unfortunately I forgot to mention the problem occurs both from my home
>>> network and via my work network (which I could easily have believed was
>>> at fault - they've messed with it a lot recently). The ~~~ linux box
>>> above connects via my home network but I have an aix box at work that
>>> also connects successfully whereas work cygwin (that's on XP) fails in
>>> the same fashion as my original post.
>>
>> So you're defining a successful connection as one where any key file is
>> ignored/invalidated and you're left to login with your password?
>
> Yes. Only password authentification is allowed on that IP address. Once
> connected, it is possible to connect to virtual machines we have set up via
> our company account. Ordinarily our usual scenario is to connect to the
> gateway with a username plus forward some local ports..
>
> 	<example>
> $ ssh \
>          -L "$RHE55_SSH"":""$RHE55":22 \
>          -L "$RHE55_VNC"":""$RHE55":5900 \
>          -L "$RHE55_SQL"":""$RHE55":3306 \
>   \
>          "$SSH_USER"@"$SSH_GATE"
> 	</example>
>
> ..which will facilitate subsequent key authentification via the local port..
>
> 	<example>
> $ ssh -p $RHE55_SSH -YC \
> 	-o UserKnownHostsFile=/dev/null \
> 	-o StrictHostKeyChecking=no \
> 	$SSH_USER AT localhost "$@"
> 	</example>
>
> ..unfortunately I can't post the value for SSH_USER but as previously posted
> SSH_GATE is "198.81.193.104". Is it possible for others to try..
> $ ssh -vv 198.81.193.104
> ..as that's enough to trigger the fault.

Indeed.  I do see that even if I limit authentication methods to password.
And it does go through OK if I use a web client (serfish).

-- 
Larry

_____________________________________________________________________

A: Yes.
 > Q: Are you sure?
 >> A: Because it reverses the logical flow of conversation.
 >>> Q: Why is top posting annoying in email?

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple