This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: SSH Key Authentication is not working
- From: "Larry Hall (Cygwin)" <reply-to-list-only-lh at cygwin dot com>
- To: cygwin at cygwin dot com
- Date: Tue, 15 Oct 2013 16:15:07 -0400
- Subject: Re: SSH Key Authentication is not working
- Authentication-results: sourceware.org; auth=none
- References: <CALHkaY86UwRho0880z4-as_ca3w0rB1_d_ZhHTFKxfkDxpfANg at mail dot gmail dot com> <CALHkaY99CETJOMiRGO5Gs1-TJDtT0vX+FCA5=GBS3n_Ur1OG9A at mail dot gmail dot com> <CALHkaY-zcMO19=jUrVSQ6hd1CzH3eot8JccRPPziTFYj3zEhmg at mail dot gmail dot com>
- Reply-to: cygwin at cygwin dot com
On 10/15/2013 12:29 AM, Tadej Animalix wrote:
Thanks for quick reply. Any idea why I didn't receive email about this reply?
Typical etiquette for this list is to correspond through the list, though
some may make an extra effort to explicitly include your email address if
you request it. That courtesy may break down over the course of the thread
though, which is at least part of the reason for the preference to do
everything through the list.
First I would need to tell you think "sshd.log" may not be from the
same session, so please ignore it.
Since you didn't include it, I think that's easy to do. ;-)
After installation of CYGWIN with OpenSSH I added path of bin
directory to global variables and I ran these commands:
chmod +r /etc/passwd
chmod u+w /etc/passwd
chmod +r /etc/group
chmod u+w /etc/group
chmod 755 /var
touch /var/log/sshd.log
chmod 664 /var/log/sshd.log
None of this should be required but probably isn't causing a problem.
The only difference I saw between what you have above and what I have
is /var/log/sshd.log is 644.
Then I started "ssh-host-config" and entered:
"ntsec tty" for saemon
Both of these are deprecated. See:
<http://cygwin.com/cygwin-ug-net/using-cygwinenv.html#cygwinenv-removed-options>
answered all with yes
and I changed name to "sshd" and entered a password.
This sounds like a problem to me. The 'sshd' user is already created
automatically if you ask for "privilege separation", which you did by
answering "yes" to all questions. Please re-run 'ssh-host-config' and
allow it to use the default 'cyg-server' user name for the service. If
you absolutely must change it to something else, do not use 'sshd' or
any other existing name.
After that I ran "cyglsa-config" and answered Yes and rebooted computer.
While this is certainly a valid way to run sshd, I'm curious why you
went this route? Assuming the above advice isn't helpful, try without
cyglsa.
Then in cmd I ran "ash" and re-based all with "/usr/bin/rebaseall".
Then I opened CYGWIN terminal and executed lines bellow:
chown system /etc/ssh*
chown system /var/empty
Why are you doing this? 'ssh-host-config' takes care of setting the
permissions and ownership as required. What you've done above is
wrong. The owner of these files should be the user that is running
the 'sshd' service (i.e. 'cyg-server' by default).
mkgroup -l > ..\etc\group
mkpasswd -l > ..\etc\passwd
The above also should not be necessary and, depending on where you
invoked it from, may not have had any affect at all.
After that I was able to start "CYGWIN sshd" as service and I was able
to connect with user-pwd authentication, but key login doesn't work at
this point.
I've also tried to CHMOD ".ssh" folder and "authorized_keys" but that
didn't help.
Right. Again, 'ssh-user-config' script sets these permissions properly.
Just remove '.ssh' and re-run 'ssh-user-config'.
Am I missing something?
Given all the changes you've made, I get the feeling that you've missed
the '/usr/share/doc/Cygwin/openssh.README' file which, toward the end of
the file, has very explicit and simple directions for configuring your
OpenSSH installation. It is possible with all the "external" advice
you've found and tried, you may find it easier to just wipe your install
and start over. If you do so, I recommend that rely only on the config
scripts provided to configure your system. If you choose to try to
undo what you've done, the scripts can be a good guide to what needs
altering. Any future correspondence with the list on this issue should
be accompanied by the output of 'cygcheck -svr'. Please *attach* (rather
than append) this output.
--
Larry
_____________________________________________________________________
A: Yes.
> Q: Are you sure?
>> A: Because it reverses the logical flow of conversation.
>>> Q: Why is top posting annoying in email?
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple