This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

ssh pubkey auth problems on cygwin 1.5.25


I am trying to diagnose a pubkey authentication problem with cygwin
1.5.25 and openssh 5.1p1-10 on a specific machine.  I have
successfully setup and used this exact scenario on 21 other machines.
I am only having a problem with this one specific machine.

I have installed the latest openssh on the target machine.  I setup
sshd using the "ssh-host-config --yes" command.  Because I want access
to network resources, I then changed the account that sshd runs under
from the generated "sshd" user to the "sa-prx-sshdsrvr" domain user.
Again, I have successfully done this on 21 other machines.

I set the LogLevel to DEBUG in /etc/sshd_config and started sshd using
"net start sshd".

If I try to login from another machine (apricot) without pubkey
authentication, it works:
apricot:~$ ssh -o PubkeyAuthentication=no 10.3.212.67
tschutter@10.3.212.67's password: 
Last login: Thu Jan 29 17:58:12 2009 from 10.3.212.64

$ 

When I try to connect using pubkey authentication, it fails:
apricot:~$ ssh 10.3.212.67
Connection closed by 10.3.212.67
apricot:~$ 

While nothing is output to /var/log/sshd.log when it fails, we do see
these items in the Event Viewer:
sshd: PID 460: debug1: userauth-request for user tschutter service ssh-connection method publickey.
sshd: PID 460: debug1: attempt 1 failures 0.
sshd: PID 460: debug1: test whether pkalg/pkblob are acceptable.
sshd: PID 2960: debug1: temporarily_use_uid: 18718/10513 (e=18846/10513).
sshd: PID 2960: fatal: seteuid 18718: Permission denied.
sshd: PID 2960: debug1: do_cleanup.

We can see that account 18846 is the "sa-prx-sshdsrvr" domain user:
$ grep 18846 /etc/passwd
sa-prx-sshdsrvr:unused_by_nt/2000/xp:18846:10513:Service Account, Prx-SSHDSrvr,U-DATA\sa-prx-sshdsrvr,S-1-5-21-2555220796-769361577-1294736918-8846:/home/sa-prx-sshdsrvr:/bin/bash

And that account 18718 is me:
$ grep 18718 /etc/passwd
tschutter:unused_by_nt/2000/xp:18718:10513:Schutter, Thomas A.,U-DATA\tschutter,S-1-5-21-2555220796-769361577-1294736918-8718:/cygdrive/c/tschutter:/bin/bash

The "sa-prx-sshdsrvr" account that sshd runs under has the
necessary privileges:
$ editrights -l -u sa-prx-sshdsrvr
SeCreateTokenPrivilege
SeIncreaseQuotaPrivilege
SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeServiceLogonRight

The various files used by sshd have the correct ownership:
$ ls -ld /etc/ssh* /var/empty /var/log/lastlog /var/log/sshd.log
-rwxr-x---  1 sa-prx-sshdsrvr Domain Users      1482 Jan 30 11:38 /etc/ssh_config
-rw-------  1 sa-prx-sshdsrvr Domain Users       668 Jan 30 11:38 /etc/ssh_host_dsa_key
-rw-r--r--  1 sa-prx-sshdsrvr Domain Users       615 Jan 30 11:38 /etc/ssh_host_dsa_key.pub
-rw-------  1 sa-prx-sshdsrvr Domain Users       988 Jan 30 11:38 /etc/ssh_host_key
-rw-r--r--  1 sa-prx-sshdsrvr Domain Users       652 Jan 30 11:38 /etc/ssh_host_key.pub
-rw-------  1 sa-prx-sshdsrvr Domain Users      1671 Jan 30 11:38 /etc/ssh_host_rsa_key
-rw-r--r--  1 sa-prx-sshdsrvr Domain Users       407 Jan 30 11:38 /etc/ssh_host_rsa_key.pub
-rw-r--r--  1 sa-prx-sshdsrvr Domain Users      3273 Jan 30 14:17 /etc/sshd_config
drwxr-xr-x+ 2 sa-prx-sshdsrvr Administrators       0 Jan 28 18:07 /var/empty
-rw-r--r--  1 sa-prx-sshdsrvr Administrators 5166444 Jan 29 17:58 /var/log/lastlog
-rw-r--r--  1 sa-prx-sshdsrvr Domain Users         0 Jan 30 14:17 /var/log/sshd.log

So where do I go from here?  What other steps can I take to diagnose
this problem?  I have tried reinstalling ssh and rerunning
ssh-host-config.

I realize that cygwin 1.7 would probably make this problem go away,
but I am not ready to make the leap yet.

Thanks,
-- 
Tom Schutter
First American - Proxix Solutions
303-440-7272 x6822
512-977-6822

Attachment: cygcheck.out
Description: Text document

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]