sshd refuses ssh connections

Marc Jourdeuil marcj@sympatico.ca
Wed Oct 19 23:30:00 GMT 2005


ok, start over...

stop the sshd
cygrunsrv  --stop  sshd

Delete /etc/ssh*

p4-3000:marcj:{/etc}322 % ssh-host-config
Generating /etc/ssh_host_key
Generating /etc/ssh_host_rsa_key
Generating /etc/ssh_host_dsa_key
Generating /etc/ssh_config file
Privilege separation is set to yes by default since OpenSSH 3.3.
However, this requires a non-privileged account called 'sshd'.
For more info on privilege separation read
/usr/share/doc/openssh/README.privsep.

Should privilege separation be used? (yes/no) yes
Generating /etc/sshd_config file

Host configuration finished. Have fun!

-rwxr-xr-x   1 marcj          None    1159 Oct 19 18:52 ssh_config
-rw-------   1 marcj          None     672 Oct 19 18:52 ssh_host_dsa_key
-rw-r--r--   1 marcj          None     603 Oct 19 18:52 ssh_host_dsa_key.pub
-rw-------   1 marcj          None     528 Oct 19 18:52 ssh_host_key
-rw-r--r--   1 marcj          None     332 Oct 19 18:52 ssh_host_key.pub
-rw-------   1 marcj          None     887 Oct 19 18:52 ssh_host_rsa_key
-rw-r--r--   1 marcj          None     223 Oct 19 18:52 ssh_host_rsa_key.pub
-rw-r--r--   1 marcj          None    2807 Oct 19 18:52 sshd_config

cygrunsrv  --start  sshd

cygrunsrv: Error starting a service: QueryServiceStatus:  Win32 error 1062:
The service has not been started.

from /var/log/sshd.log:
Could not load host key: /etc/ssh_host_key
Could not load host key: /etc/ssh_host_rsa_key
Could not load host key: /etc/ssh_host_dsa_key
Disabling protocol version 1. Could not load host key
Disabling protocol version 2. Could not load host key
sshd: no hostkeys available -- exiting.

chown SYSTEM ssh*
-rwxr-xr-x   1 SYSTEM         None    1159 Oct 19 18:52 ssh_config
-rw-------   1 SYSTEM         None     672 Oct 19 18:52 ssh_host_dsa_key
-rw-r--r--   1 SYSTEM         None     603 Oct 19 18:52 ssh_host_dsa_key.pub
-rw-------   1 SYSTEM         None     528 Oct 19 18:52 ssh_host_key
-rw-r--r--   1 SYSTEM         None     332 Oct 19 18:52 ssh_host_key.pub
-rw-------   1 SYSTEM         None     887 Oct 19 18:52 ssh_host_rsa_key
-rw-r--r--   1 SYSTEM         None     223 Oct 19 18:52 ssh_host_rsa_key.pub
-rw-r--r--   1 SYSTEM         None    2807 Oct 19 18:52 sshd_config

Now able to start sshd

ps -ef
  SYSTEM     904       1   ?  19:00:05 /usr/bin/cygrunsrv
  SYSTEM    2544     904   ?  19:00:05 /usr/sbin/sshd

netstat -an | grep 22
  TCP    0.0.0.0:22             0.0.0.0:0              LISTENING

I still have keys in /home/marcj/.ssh
p4-3000:marcj:{/home/marcj/.ssh}192 % ls -l
-rw-r--r--  1 marcj None   29 Oct 19 16:55 _config
-rw-------+ 1 marcj None 1158 Oct 19 18:15 authorized_keys
-rwxr--r--  1 marcj None  603 Oct 19 16:36 authorized_keys2
-rw-------  1 marcj None  668 Oct 19 18:15 id_dsa
-rw-r--r--  1 marcj None  603 Oct 19 18:15 id_dsa.pub
-rw-------  1 marcj None  883 Oct 19 18:14 id_rsa
-rw-r--r--  1 marcj None  223 Oct 19 18:14 id_rsa.pub
-rw-------  1 marcj None  528 Oct 19 18:14 identity
-rw-r--r--  1 marcj None  332 Oct 19 18:14 identity.pub
-rw-r--r--  1 marcj None  232 Oct 19 19:02 known_hosts


ssh -v marcj@p4-3000
OpenSSH_3.9p1, OpenSSL 0.9.7e 25 Oct 2004
debug1: Reading configuration data /etc/ssh_config
debug1: Connecting to p4-3000 [192.168.1.204] port 22.
debug1: Connection established.
debug1: identity file /home/marcj/.ssh/identity type 0
debug1: identity file /home/marcj/.ssh/id_rsa type 1
debug1: identity file /home/marcj/.ssh/id_dsa type 2
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.9p1
debug1: match: OpenSSH_3.9p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.9p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'p4-3000' is known and matches the RSA host key.
debug1: Found key in /home/marcj/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /home/marcj/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 149
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
Last login: Wed Oct 19 19:02:01 2005 from p4-3000

seems to be working now!


p4-3000:marcj:{/}325 % ssh marcj@p4-3000
Last login: Wed Oct 19 19:05:19 2005 from p4-3000
p4-3000:marcj:{/home/marcj}193 %

---------------------------------------------------------------------------
Also, I can get in from my laptop at the command line and using winSCP:

p4m-2000:marcj:{/etc}211 % ssh marcj@p4-3000
marcj@p4-3000's password:
Warning: No xauth data; using fake authentication data for X11 forwarding.
Last login: Wed Oct 19 19:19:16 2005 from p4-3000
---------------------------------------------------------------------------
restart zonealarm, see if still works
p4-3000:marcj:{/var/log}329 % ssh marcj@p4-3000
Last login: Wed Oct 19 19:08:36 2005 from p4m-2000
p4-3000:marcj:{/home/marcj}193 %

WinSCP still works from laptop!

Marc

----- Original Message ----- 
From: "Brian Dessent" <brian@dessent.net>
To: <cygwin@cygwin.com>
Sent: Wednesday, October 19, 2005 6:15 PM
Subject: Re: sshd refuses ssh connections


> Chris Taylor wrote:
>
> > >>>i followed all instructions from:
> > >>>http://pigtail.net/LRP/printsrv/cygwin-sshd.html
>
> You should ask the administrator of pigtail.net for help then.  We don't
> support other sites here.
>
> > >>>The process is running:
> > >>>p4-3000:marcj:{/home/marcj}160 % ps -ef
> > >>>...
> > >>>  SYSTEM     480     728   ?  00:48:33 /usr/sbin/sshd
> > >>>
> > >>>
> > >>>and the port 22 is listening:
> > >>>p4-3000:marcj:{/etc}183 % netstat -an
> > >>>
> > >>>Active Connections
> > >>>
> > >>>  Proto  Local Address          Foreign Address        State
> > >>>  TCP    0.0.0.0:22             0.0.0.0:0              LISTENING
>
> It looks like a firewall problem then.
>
> > >>Could you stop the service, as described on the page you mention, and
> > >>then start it manually by doing the following:
> > >>
> > >>sshd -D -dd
>
> This is bad advice.  Don't try running sshd from a non-SYSTEM account
> unless you know what you're doing.
>
> >  > Disabling protocol version 1. Could not load host key
> >  > Disabling protocol version 2. Could not load host key
> >  > sshd: no hostkeys available -- exiting.
> >
> > Well, this is definitely why it's not working.
>
> No, it's a red herring.  The host keys should be readable only by the
> process that runs sshd.  This must be SYSTEM in order for impersonation
> to work.  Thus they should be readable only by SYSTEM, and that is how
> ssh-host-config sets things up, correctly.  So if you try to run sshd as
> your normal user account, it will not work.  That's why it's a bad idea
> to mess around with running sshd from a regular prompt, because you will
> run into all kinds of permissions/ownership issues unless you know
> precisely what you're doing.
>
> To the original poster:
>
> Start over.  Forget anything you read on pigtail.net.  Delete all traces
> of whatever you've tried to do so far.  Now run ssh-host-config and let
> it do everything.  Start the service.  Do not even think about trying to
> run sshd directly from a prompt.  If the service is running, and the
> process is listening on the port, and you still get "Connection refused"
> then it's a firewall or winsock issue.  Look at the event log and
> /var/log/sshd.log for any messages.
>
> Brian
>
> --
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
> Problem reports:       http://cygwin.com/problems.html
> Documentation:         http://cygwin.com/docs.html
> FAQ:                   http://cygwin.com/faq/


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/



More information about the Cygwin mailing list