DMARC-Filter: OpenDMARC Filter v1.4.2 delorie.com 50HB2SQw625997
Authentication-Results: delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com
Authentication-Results: delorie.com; spf=pass smtp.mailfrom=cygwin.com
DKIM-Filter: OpenDKIM Filter v2.11.0 delorie.com 50HB2SQw625997
Authentication-Results: delorie.com;
	dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=cGaHG+qj
X-Recipient: archive-cygwin AT delorie DOT com
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org DA76F384A423
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1737111746;
	bh=LUx4y53IAzaFBU1umE7Z6UBPlbfgwLyYFCRhpzHktjw=;
	h=Date:To:Cc:References:In-Reply-To:Subject:List-Id:
	 List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:
	 From:Reply-To:From;
	b=cGaHG+qjbM5oOLfPFBTaI5rEJ7nW265IjJY2ORN8iqU4F1ZwU1qePFymrrvwWAEaY
	 F8KXLnuhvzGy9ZGD7uK8yfJNUuy9NJhZA0iSGmR2+bRVlsf1gUrfhuYoRnb7rwBcZ+
	 9mPHRZIcnNMATDR6bzMpY3BPtjYlz/Ofx01VEqoY=
X-Original-To: cygwin AT cygwin DOT com
Delivered-To: cygwin AT cygwin DOT com
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 814F2384A46B
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 814F2384A46B
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1737111710; cv=none;
 b=pLxt9iKQS8bgKDYDMVmGstqPvsb2ybhelB+rGTui5oVOgMJlC/axZpLFvYjqKnd+IOVBxgkAgm5zJMuRonM/hSNEdy45gcmthUTibUgPXIWX1S2/04BJl7h/wnNqZ1Gh5j010M7zHsbb9cpdiwaZI/zkZfPonwE/fAHrPQ41Tfo=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
 t=1737111710; c=relaxed/simple;
 bh=tAkb8aGDchn+oabJm92R1GlzYQUES0gQBaZkoqTDVOc=;
 h=DKIM-Signature:Message-ID:Date:MIME-Version:To:From:Subject;
 b=VxTUXWLgE+0YDFbqT447S+Mih2rxuLIaWAwGWiiowHNwCba8P/tem3208jA2Z/wgJewPGfKDXeWLRaonzUHrk5DvEx81C6HhgYkUdyFYw78ewuWvfBauIcJmsBP3D+aAbO0h63ciS7++phEK32SHLZHRyzpua/BYZ0o3VeehTJ8=
ARC-Authentication-Results: i=1; server2.sourceware.org
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 814F2384A46B
Message-ID: <6c39972b-43ef-4e32-a238-f2778f3cc4e5@emmenlauer.de>
Date: Fri, 17 Jan 2025 11:59:33 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Andy Wood <andy DOT m DOT wood AT gmail DOT com>
Cc: "cygwin AT cygwin DOT com" <cygwin AT cygwin DOT com>
References: <LTQOVCXmc0omW9pKR5Kf2VV2rkqMLBgNy-HyfSog-h2-eEjbnJroxxEUCUTKQSQrMGXaZJ7FH2qocwS-hpfW3RveKOrq-HlRtJqh7NDg8w4=@proton.me>
 <CAL63K1XbYdKYGxacM-ifuakReCQefYB1K5MmWS2YuT2+La=RdQ AT mail DOT gmail DOT com>
Content-Language: en-US
In-Reply-To: <CAL63K1XbYdKYGxacM-ifuakReCQefYB1K5MmWS2YuT2+La=RdQ@mail.gmail.com>
X-SA-Exim-Connect-IP: 77.24.102.157
X-SA-Exim-Mail-From: mario AT emmenlauer DOT de
Subject: Re: sshd not working properly
X-SA-Exim-Version: 4.2.1 (built Tue, 16 Feb 2021 15:21:40 +0000)
X-SA-Exim-Scanned: Yes (on merope.marssoft.de)
X-BeenThere: cygwin AT cygwin DOT com
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe: <https://cygwin.com/mailman/options/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From: Mario Emmenlauer via Cygwin <cygwin AT cygwin DOT com>
Reply-To: Mario Emmenlauer <mario AT emmenlauer DOT de>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
Errors-To: cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com
Sender: "Cygwin" <cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from base64 to 8bit by delorie.com id 50HB2SQw625997


On 04.09.24 12:11, Andy Wood via Cygwin wrote:
> Running "passwd -R" for 'other_user', as suggested by the subject of
> the post, fixed the problems for me.
> 
> It looks like sshd isn't handling a login failure properly.
> 
> On Tue, Sep 3, 2024 at 7:57 PM Jim McNamara via Cygwin
> <cygwin AT cygwin DOT com> wrote:
>>
>>>> This looks like a bug. Can anyone help? Is there a work-around?
>>   Hi Andy,
>>
>> There was some chatter the last week or 2 on someone trying to get ssh to work. At the archive mailing list, you can read and see if that answers any of it.
>>
>> I thought the gist of it is that a cipher is being swapped out or something.
>>
>> Please read archives at the mailing list while you are waiting for a reply for the past week or 2 msgs.
>>
>> Also, the other person said they found out information in the release notes for cygwin that were kind of recent.


I am under the impression that there may be a misbehavior in more recent
Cygwin OpenSSH :-(

I observe the same problem as Andy Wood was having, and found another
very recent identical report at https://serverfault.com/q/1168457/473559.
Their cases, as well as mine, seem to share, that OpenSSH can no longer
correctly authenticate as a user without having the plain text password
stored in the registry.

In my case, this is exclusively limited to domain users. Local users
work correctly. I can see that at least one other report, the one at
Serverfault, is also for a domain user. Also, everything that is
reported at Serverfault applies basically identically to my case, i.e.
the connection being just dropped, and the only relevant message from
OpenSSH being "fatal: seteuid 4096: Function not implemented".


Here more details about my setup:
I'm using current latest Cygwin 3.5.5-1, with OpenSSH version 9.9p1-1.
OpenSSH is installed as the Windows service, setup was performed with
the Cygwin OpenSSH setup script, strict permissions are enabled. I did
check that the service is running as "Local System". I did not set a
plaintext password (due to security considerations), so I do not know
if this would help. However, I can say that local Windows user accounts
just work, was they always did.

I've tested this on three different machines, all with latest Windows
and all updates from today, and the same version of Cygwin and OpensSSH.
I've also tested this with at least two different domain users, albeit
from the same Windows domain.

I've read the README, and followed basically all the tutorials and
docs on the Cygwin website that I could find. Particularly, I understand
https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd1 so that the
login should work even for domain users without plaintext password,
then OpenSSH is running under the SYSTEM account. This does not work
for me.

I also digged through the mail archive. The only relevant discussion,
with a possible relation to OpenSSH that I could find was the following:
https://cygwin.com/pipermail/cygwin/2024-February/255503.html But I
may read this wrong, so please forgive if this is not helping.

Any help would be greatly appreciated!

All the best,

     Mario Emmenlauer



-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple