Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Message-Id: <5.1.1.5.2.20020705143246.00ad19e8@lindy.stanford.edu>
X-Sender: rwilper AT lindy DOT stanford DOT edu (Unverified)
Date: Fri, 05 Jul 2002 15:25:21 -0700
To: "cygwin AT cygwin DOT com" <cygwin AT cygwin DOT com>
From: Ross Wilper <rwilper AT stanford DOT edu>
Subject: OpenSSH problems: StrictModes and PublicKeyAuthentication
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed

I'm testing an upgrade to latest versions and hope I've just got a 
configuration problem...

Configuration
Cygwin 1.3.12-1 and OpenSSH 3.4p2
Freshly installed Windows 2000 Server + all the hotfix rot.
Default settings from ssh-host-config
Password Auth works, Pubkey Auth does not.

------------------------------

Problem 1: StrictModes on == Cannot log on.
If the ACLs on the ~/.ssh/authorized_keys have SYSTEM:Read, then 
authentication fails with improper ownership or mode.
If the ACL on the file do not have SYSTEM:READ, then authentication fails 
because the SSHD cannot open the file.

I look at the Application event log on the system and Cygwin does record 
that the userid is switching to the user logging in before opening the 
authorized_keys file, but the Security log shows failed file accesses by 
SYSTEM when the call comes to open the file.

So, I turned off StrictModes and set <user> and SYSTEM to have perms on the 
file and ran into the second problem.

------------------------------------

Problem2: Successful RSA authentication is ignored?
To make a long story short, after the thread running the PubKey PAM auths 
the user, the next message is an auth failure

Client:
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: next auth method to try is publickey
debug1: try privkey: /home/administrator/.ssh/identity
debug3: no such identity: /home/administrator/.ssh/identity
debug1: try privkey: /home/administrator/.ssh/id_rsa
debug1: read PEM private key done: type RSA
debug3: sign_and_send_pubkey
debug2: we sent a publickey packet, wait for reply

Server:
debug1: userauth-request for user administrator service ssh-connection 
method publickey.
debug1: attempt 1 failures 1.
debug2: input_userauth_request: try method publickey.
debug3: mm_key_allowed entering.
debug3: mm_request_send entering: type 20.
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED.
debug3: mm_request_receive_expect entering: type 21.
debug3: mm_request_receive entering.
debug3: monitor_read: checking request 20.
debug3: mm_answer_keyallowed entering.
debug3: mm_answer_keyallowed: key_from_blob: 0x100b3a78.
debug1: temporarily_use_uid: 500/513 (e=18).
debug1: trying public key file /home/Administrator/.ssh/authorized_keys.
debug1: matching key found: file /home/Administrator/.ssh/authorized_keys, 
line 1.
Found matching RSA key: eb:36:79:4c:fa:63:b4:41:96:7d:07:7d:ff:d0:7b:2f.
debug1: restore_uid.
debug3: mm_answer_keyallowed: key 0x100b3a78 is allowed.
debug3: mm_request_send entering: type 21.
debug3: mm_request_receive entering.
debug3: mm_key_verify entering.
debug3: mm_request_send entering: type 22.
debug3: mm_key_verify: waiting for MONITOR_ANS_KEYVERIFY.
debug3: mm_request_receive_expect entering: type 23.
debug3: mm_request_receive entering.
debug3: monitor_read: checking request 22.
debug1: ssh_rsa_verify: signature correct.
debug3: mm_answer_keyverify: key 0x100b3a78 signature verified.
debug3: mm_request_send entering: type 23.
Accepted publickey for administrator from 171.64.x.x port 2373 ssh2.
debug1: monitor_child_preauth: administrator has been authenticated by 
privileged process.
debug3: mm_get_keystate: Waiting for new keys.
debug3: mm_request_receive_expect entering: type 24.
debug3: mm_request_receive entering.
debug2: userauth_pubkey: authenticated 1 pkalg ssh-rsa.
Failed publickey for administrator from 171.64.x.x port 2373 ssh2.

-Ross Wilper
Stanford University


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/