RE: Cygwin sshd public key authentication failure

From: Greg Paik <gpaik(at)smithandhawken.com>
Date: Mon Jan 20 2003 - 18:20:22 EST

Hmm... just tried using the keys to try and ssh to itself and it didn't work. I then generated new keys using ssh-user-config, ran ssh-add, and it still didn't work.

Otherwise, I believe that sshd doesn't really care, and will use an authorized_keys2 file as well as just an authorized_keys file with both RSA and DSS keys. Currently there are both versions in the directory to cover all the bases.

I have also checked the file format using "od -c" and both auth files are in UNIX format with the single new-line entry at the end (i.e.- '\n').

Greg

-----Original Message-----

From: Ben Voigt [mailto:bvoigt@kas.com]
Sent: Monday, January 20, 2003 12:53 PM
To: ssh-l@erdelynet.com
Subject: RE: Cygwin sshd public key authentication failure

Do the keys work in loopback?

Make sure you generated the keys from cygwin, so that they are compatible with the cygwin sshd. Then put them into authorized_keys, as if they were for use with ssh version 1. cygwin sshd uses authorized_keys (with no 2), for keys for both ssh versions 1 and 2.

---

Ben Voigt
University of Pennsylvania
Electrical Engineering PhD Student

voigt@seas.upenn.edu <mailto:voigt@seas.upenn.edu> BVoigt@kas.com <mailto:BVoigt@kas.com>

Support a Constitutional Amendment to protect the Pledge of Allegiance and National Motto.
Click here for more information. <http://www.wepledge.com/>

---

-----Original Message-----

From: ssh-l-admin@erdelynet.com [mailto:ssh-l-admin@erdelynet.com]On Behalf Of Greg Paik
Sent: Monday, January 20, 2003 2:52 PM
To: 'ssh-l@erdelynet.com'
Cc: 'secureshell@securityfocus.com'
Subject: Cygwin sshd public key authentication failure

Wondering if anyone can help me with this problem. I am trying to setup Cygwin DLL 1.3.18-1 release and OpenSSH 3.5p1 on a system running Windows NT4 SP4 to accept public key authentication from a Redhat 7.1 box using OpenSSH 3.4p1. I am able to setup the auth from the NT box to the Redhat system just fine, but keep failing the other way.

I have tried both RSA and DSA key authentication with no success. I have checked and double checked the permissions on the .ssh directory and the authorized_keys file below (Note - I have replaced the account name with "noname"), as well as tried them with 755 and 644 permissions:

drwx------+   2 noname    SYSTEM         4096 Jan 15 11:35 .ssh

-rw-------    1 noname    SYSTEM         1451 Jan 15 11:39 authorized_keys2

Below you will find the debugging output from the attempted key exchange:

RSA Key Debug Output

---

debug1: userauth-request for user noname service ssh-connection method publickey

debug1: attempt 1 failures 1
debug2: input_userauth_request: try method publickey
debug3: mm_key_allowed entering
debug3: mm_request_send entering: type 20
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
debug3: mm_request_receive_expect entering: type 21
debug3: mm_request_receive entering
debug3: monitor_read: checking request 20
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 0x100f8700
debug1: temporarily_use_uid: 2217/544 (e=18/544)
debug1: trying public key file /home/noname/.ssh/authorized_keys
debug1: restore_uid: (unprivileged)
debug1: temporarily_use_uid: 2217/544 (e=18/544)
debug1: trying public key file /home/noname/.ssh/authorized_keys2
debug1: restore_uid: (unprivileged)
debug3: mm_answer_keyallowed: key 0x100f8700 is disallowed
debug3: mm_request_send entering: type 21
debug3: mm_request_receive entering
debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa

Failed publickey for noname from 10.0.666.20 port 39342 ssh2

DSA Key Debug Output

---

debug1: userauth-request for user noname service ssh-connection method publickey

debug1: attempt 2 failures 2
debug2: input_userauth_request: try method publickey
debug1: test whether pkalg/pkblob are acceptable
debug3: mm_key_allowed entering
debug3: mm_request_send entering: type 20
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
debug3: mm_request_receive_expect entering: type 21
debug3: mm_request_receive entering
debug3: monitor_read: checking request 20
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 0x100f8550
debug1: temporarily_use_uid: 2217/544 (e=18/544)
debug1: trying public key file /home/noname/.ssh/authorized_keys
debug1: restore_uid: (unprivileged)
debug1: temporarily_use_uid: 2217/544 (e=18/544)
debug1: trying public key file /home/noname/.ssh/authorized_keys2
debug1: restore_uid: (unprivileged)
Can we help you?
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:
Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
debug3: mm_answer_keyallowed: key 0x100f8550 is disallowed
debug3: mm_request_send entering: type 21
debug3: mm_request_receive entering
debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss

Failed publickey for noname from 10.0.666.20 port 39342 ssh2

I have looked through every possible link on the net and the newsgroups but find no answer to my problem. I did find a reference on a webpage that stated there was some issue with using public key authentication from a RedHat box to an NT box, but no answer as to why or how to solve it.

Thanks in advance,

Greg

--

List Information: http://tech.erdelynet.com/mailman/listinfo/ssh-l/ List Archives: http://archive.erdelynet.com/ssh-l/ To Unsubscribe: Go to http://tech.erdelynet.com/mailman/listinfo/ssh-l/ and enter your email address at the bottom to "Edit Options". If you don't know your password, have it emailed to you. Then unsubscribe.
---

{AVG => Incoming mail is certified Virus Free.} Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.443 / Virus Database: 248 - Release Date: 1/10/2003

--

List Information: http://tech.erdelynet.com/mailman/listinfo/ssh-l/ List Archives: http://archive.erdelynet.com/ssh-l/ To Unsubscribe: Go to http://tech.erdelynet.com/mailman/listinfo/ssh-l/ and enter your email address at the bottom to "Edit Options". If you don't know your password, have it emailed to you. Then unsubscribe. Received on Thu Jan 23 12:10:16 2003