This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: ssh configuration

From: gga <ggarra at advancedsl dot com dot ar>
To: cygwin at cygwin dot com
Date: Thu, 21 Jun 2007 10:46:56 -0300
Subject: Re: ssh configuration
References: <467A518D.5040400@advancedsl.com.ar> <467A7116.2060402@cygwin.com>

Larry Hall (Cygwin) wrote:
>>
>> Here's the full info:
>>
>>> /usr/sbin/sshd.exe -d -d -d -D
>
> Running 'sshd.exe' as anyone other than SYSTEM (on WinXP and earlier
O/S's)
> is not recommended.  See the email archives for a recipe about how to get
> a SYSTEM-owned shell to run 'sshd.exe' from if you want to run it from a
> shell.

Well, this is mainly just a test to see the output of sshd.  sshd will
still get started by a service (presumably running under root) using
cygrunsrv.

>
> You certainly need to ru ssh-user-config to log through the 'sshd'
> server, so this is the correct thing to do.

Ok... so, I've done it.  Here's the new log (with ugly errors), from ssh.

OpenSSH_4.6p1, OpenSSL 0.9.8e 23 Feb 2007
debug1: Reading configuration data /etc/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/gga/.ssh/identity type 0
debug3: Not a RSA1 key file /home/gga/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'Proc-Type:'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'DEK-Info:'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/gga/.ssh/id_rsa type 1
debug3: Not a RSA1 key file /home/gga/.ssh/id_dsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'Proc-Type:'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'DEK-Info:'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/gga/.ssh/id_dsa type 2
ssh_exchange_identification: read: Software caused connection abort

>>
>> More info:
>> - cygwin is installed on a FAT partition of a WinXP (SP1) box, with
>> latest patches.
> 
> Ugh!  You'll need to turn off 'StrictModes' in '/etc/sshd_config' for
> this to work.  And that disables a large part of the security you get
> from OpenSSH.  You should really consider switching to NTFS if you plan
> to use OpenSSH as any kind of security mechanism.
> 

Interesting.  Can you explain to me why the file system effects the
security of sshd?  I'll admit I don't understand this.  Why does ssh
care about it?

>> - I have at least one user without a password.  I've also gone and
>> modified the ssh configuration file to add in sshd_config:
>>      PermitEmptyPasswords no
> 
> Perhaps this answers the question about whether you're looking for
> security from OpenSSH. ;-)

Hopefully not.  I really cannot ask the user to login with a password
(he is too old a person) and I don't care too much about the security
within the LAN.
However, I do care about the security exposed to the net, and I want to
make sure this account without a password does not compromise security.
 Under linux, PermitEmptyPasswords should do that for ssh connections.
I'm hoping this is the same for cygwin.

> 
> 'Off' for some firewalls is the same as 'On'.  They can be buggy.  Try
> opening port 22 (assuming you didn't change this) for OpenSSH or
> uninstalling the firewall as a test.
> 

Port 22 is already open, but I'm testing without the firewall just in
case, too.  I'm using Filseclab Free Firewall, btw.

-- 
Gonzalo GarramuÃo
ggarra@advancedsl.com.ar

AMD4400 - ASUS48N-E
GeForce7300GT
Kubuntu Edgy

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

References:
- ssh configuration
  - From: gga
- Re: ssh configuration
  - From: Larry Hall (Cygwin)

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]