Subject: Re: OpenSSH for Windows and key authentication -
msg#00015

List: network.ssh.windows

Mail Archive Navigation:
by Date: Prev Next Date Index by Thread: Prev Next Thread Index

I finally got public key authentication to work using SSHWindows. See my notes below: (These notes use SSHWindows as an example but the same concept should apply to other Cygwin-based SSH builds. File names/paths used below should be changed accordingly.) After installing SSHWindows, changes are required to enable public key authentication. The following steps must be completed: * Change ownership of OpenSSH folder/subfolders to Administrators using Windows Explorer. * Grant Administrators full control of the OpenSSH folder. From a command prompt, type "cacls c:\program files\openssh /t /e /c /g Administrators:F". * Edit sshd_config file and set StrictModes to "no". * Under the user's profile, grant Administrators (and only Administrators) full control of the .ssh folder and files. If this folder does not exist, it can be created by establishing an SSH connection to another box. * On clients only, copy the private RSA key to the local .ssh folder and name it "id_rsa". Copy the client's public RSA key to the desired server(s) by adding it to an "authorized_keys" text file located under the server's .ssh folder. * To use publickey authentication, use the SSH command line switch "-o PreferredAuthentications=publickey". Alternately, you can modify the ssh_config file to make this the default. Important note for Windows 2003 Server users (from Cygwin documentation):
--------------------------------------------- 2003 Server has a funny new feature. When starting services under SYSTEM account, these services have nearly all user rights which SYSTEM holds... except for the "Create a token object" right, which is needed to allow public key authentication :-( There's no way around this, except for creating a substitute account which has the appropriate privileges. Basically, this account should be member of the Administrators group, plus it should have the following user rights (some of these should already be assigned to Administrators): Create a token object
Logon as a service
Replace a process level token
Adjust memory quotas for a process The ssh-host-config script asks you, if it should create such an account, called "sshd_server". If you say "no" here, you're on your own. Please follow the instruction in ssh-host-config exactly if possible. Note that ssh-user-config sets the permissions on 2003 Server machines dependent of whether a sshd_server account exists or not.

Mike <diskcrasher@xxxxxxxxx> wrote: PS: I'm also seeing this permissions denied error in the event log on the server each time I try to connect using SSH: Event Type: Error
Event Source: sshd
Event Category: None
Event ID: 0
Date:  10/6/2005
Time:  7:58:33 AM
User:  NT AUTHORITY\SYSTEM
Computer: comp1
Description:
The description for Event ID ( 0 ) in Source ( sshd ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: sshd : PID 1444 : fatal: setreuid 500: Permission denied.

Mike <diskcrasher@xxxxxxxxx> wrote: I'm using SSHWindows and am stuck using that for the moment since switching would involve considerable work (politics.) As for whether to use authorized_keys vs. authorized_keys2, the SSHWindows documentation states the following:
"If you generated dsa or rsa keys and the server is running a version of OpenSSH older than 3.4, you will need to use authorized_keys2. If you are not sure of the version, you can still use authorized_keys2. If you generated rsa1 keys, use authorized_keys." I've changed the permissions on the folder/files and authentication appears to be working now (thanks.) However, if I try to log into one of my servers using "ssh user@server" it logs on (debug shows authentication succeeded) and then immediately says the connection has been closed. I was expecting to get a remote shell prompt like I did with password authentication. Shouldn't that be the case?

Robert Jacobson <2wj93d702@xxxxxxxxxxxxxx> wrote:
On Oct 5, 2005, at 3:25 PM, Mike diskcrasher-at-yahoo.com |
ssh_erdelynet| wrote:

> I've been running SSH on my Windows servers using
> password authentication and things have worked great.
> Now I want to switch to key authentication and am
> having trouble getting it to work.
>
> Per instructions, I copied the contents of my client
> keys (id_dsa.pub & id_rsa.pub) from the .ssh folder
> into a file named authorized_keys on my server located
> under c:\documents and settings\administrator\.ssh
> (since I'm logging on as the administrator with SSH.)
> When I try to connect from my client I get a
> permissions denied error. Obviously the keys aren't
> working.
>
> Can someone give me a n idea to what's wrong? Do I
> need to modify my ssh_config or sshd_config files?

First, what distribution of SSH for windows are you using? There are
a few... are you using the one from sshwindows.sourceforge.net?

No, you do not need to modify the config files. Two possibilities:

1) I think the file is "authorized_keys2" (you're missing the "2" at
the end)

2) The permissions on the .ssh directory must be correct -- only
Administrator and SYSTEM should be able to read them

That said -- if you're using sshwindows -- I recommended you
uninstall it, and use copSSH. It is much easier to set up, IMO, and
the key authentication actually *works* (I always had to do something
manually with permissions when using sshwindows.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Robert Jacobson Robert.Jacobson@xxxxxxxxxxxxx
BS, Aeronautical Engineering Univ. of Md., College Park
Flight Ops. Te am - SOlar Heliospheric Observatory (SOHO)
(301) 286-1591

--
List Ar! ! ! chives: http://archive.erdelynet.com/ssh-l/
To Unsubscribe: Mail mailto:ssh+unsubscribe@xxxxxxxxxxxxx

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

Yahoo! for Good
Click here to donate to the Hurricane Katrina relief effort.

Yahoo! Music Unlimited - Access over 1 million songs. Try it free.

Thread at a glance:

Previous Message by Date:

Re: copSSH HPN performance tests

Okay, I'm going to have to run some tests and see what I find out. I ran a series of tests (200 iterations each) transfering a 100MB file between two linux hosts an a 1Gb by .08ms RTT path. The hosts were linux 2.4.29 and Linux 2.6.14. We used SSH-HPN ver 4.1p1. I didn't actually see any problems in this setup. Now, a couple of things to keep in mind. By removing the internal SSH bottleneck we but SSH back in the realm of being guided by TCP congestion control. There are certain cases where TCP congestion control will not deliver the best performance. Most notable of these cases is clustered losses when SACK is not enabled. So, if you could tell me if SACK is enabled that would be great. HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters SackOpts="1" If its not enabled try enabling it on both ends and seeing if that clears the problem up. Another test would be to use the '-w' option to manually set the receive buffer size. This is a client side option only. If you set it to 65356 and the performance stabilizes then its probably a TCP congestion window issue. Tevfik Karagülle wrote: Hi, I can also confirm that test results from a simple scp test were much lower than expected. See http://www.itefix.no/phpws/index.php?module=phpwsbb&PHPWSBB_MAN_OP=view&PHPWS_MAN_ITEMS[]=152 for more information. Rgrds Tev -----Original Message----- From: ssh@xxxxxxxxxxxxx [mailto:ssh@xxxxxxxxxxxxx] On Behalf Of Chris Rapier Sent: 11. oktober 2005 16:39 To: F. Telbisz Cc: ssh@xxxxxxxxxxxxx Subject: Re: copSSH version 1.3.5 is released ! I should have mentioned that here as well - yes the 4.2 patch is now available from http://www.psc.edu/networking/projects/hpn-ssh. I'll also mention that some aspects of the patch are making it into the OpenSSH tree (slowly, so very slowly).... I hope by version 4.4 the patch will be integrated in full. In the meantime, if anyone is using my patch could do me a samll favor I woudl appreciate it. One of the OpenSSH developers is reporting a performance decrease on transfers within the local area network. If anyone is in a position to run some comparison tests I'd love it if you could get me the results from some test transfers. Thanks so much! F. Telbisz wrote: Hello Chris, Have you finished the 4.2p1 patch and is it available for others, too? I am using 4.1p1 path on several XP/SP1 without any problems, but I should prefer to change to patch 4.2p1 if possible. Regards Ferenc On Wed, 7 Sep 2005, Chris Rapier wrote: | | Its my patch so I can answer any question you might happen to have | on it. I already applied it to one Cygwin based ssh install (based | on the SSHWindows | package) so I know it installs cleanly up to 4.1p1. I'm in the | process of updating the patch for 4.2.p1 I shoudl have it up by the end of the week. | ================================================================== Ferenc Telbisz KFKI RMKI Computer Networking Center Postal address: H-1525 Budapest 114. P.O.Box 49 Phone: +36-(1)-392-2554, +36-(1)-481-7646, Fax: +36-(1)-392-2503 E-mail: telbisz@xxxxxxxxxxxxxxx or telbisz@xxxxxxxxxxxxxx -- List Archives: http://archive.erdelynet.com/ssh-l/ To Unsubscribe: Mail mailto:ssh+unsubscribe@xxxxxxxxxxxxx -- List Archives: http://archive.erdelynet.com/ssh-l/ To Unsubscribe: Mail mailto:ssh+unsubscribe@xxxxxxxxxxxxx

Next Message by Date:

Re: copSSH HPN performance tests

On 10/11/05, Chris Rapier <rapier@xxxxxxx> wrote: If its not enabled try enabling it on both ends and seeing if thatclears the problem up. Another test would be to use the '-w' option tomanually set the receive buffer size. This is a client side option only. If you set it to 65356 and the performance stabilizes then itsprobably a TCP congestion window issue. 65356? Did you mean to type 65536?

Previous Message by Thread:

Re: OpenSSH for Windows and key authentication

PS: I'm also seeing this permissions denied error in the event log on the server each time I try to connect using SSH: Event Type: ErrorEvent Source: sshdEvent Category: NoneEvent ID: 0Date: 10/6/2005Time: 7:58:33 AMUser: NT AUTHORITY\SYSTEMComputer: comp1Description:The description for Event ID ( 0 ) in Source ( sshd ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: sshd : PID 1444 : fatal: setreuid 500: Permission denied.Mike <diskcrasher@xxxxxxxxx> wrote: I'm using SSHWindows and am stuck using that for the moment since switching would involve considerable work (politics.) As for whether to use authorized_keys vs. authorized_keys2, the SSHWindows documentation states the following: "If you generated dsa or rsa keys and the server is running a version of OpenSSH older than 3.4, you will need to use authorized_keys2. If you are not sure of the version, you can still use authorized_keys2. If you generated rsa1 keys, use authorized_keys." I've changed the permissions on the folder/files and authentication appears to be working now (thanks.) However, if I try to log into one of my servers using "ssh user@server" it logs on (debug shows authentication succeeded) and then immediately says the connection has been closed. I was expecting to get a remote shell prompt like I did with password authentication. Shouldn't that be the case?Robert Jacobson <2wj93d702@xxxxxxxxxxxxxx> wrote: On Oct 5, 2005, at 3:25 PM, Mike diskcrasher-at-yahoo.com | ssh_erdelynet| wrote:> I've been running SSH on my Windows servers using> password authentication and things have worked great.> Now I want to switch to key authentication and am> having trouble getting it to work.>> Per instructions, I copied the contents of my client> keys (id_dsa.pub & id_rsa.pub) from the .ssh folder> into a file named authorized_keys on my server located> under c:\documents and settings\administrator\.ssh> (since I'm logging on as the administrator with SSH.)> When I try to connect from my client I get a> permissions denied error. Obviously the keys aren't> working.>> Can someone give me a n idea to what's wrong? Do I> need to modify my ssh_config or sshd_config files?First, what distribution of SSH for windows are you using? There are a few... are you using the one from sshwindows.sourceforge.net?No, you do not need to modify the config files. Two possibilities:1) I think the file is "authorized_keys2" (you're missing the "2" at the end)2) The permissions on the .ssh directory must be correct -- only Administrator and SYSTEM should be able to read themThat said -- if you're using sshwindows -- I recommended you uninstall it, and use copSSH. It is much easier to set up, IMO, and the key authentication actually *works* (I always had to do something manually with permissions when using sshwindows.-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=Robert Jacobson Robert.Jacobson@xxxxxxxxxxxxxBS, Aeronautical Engineering Univ. of Md., College ParkFlight Ops. Te am - SOlar Heliospheric Observatory (SOHO)(301) 286-1591--List Ar! ! chives: http://archive.erdelynet.com/ssh-l/To Unsubscribe: Mail mailto:ssh+unsubscribe@xxxxxxxxxxxxx __________________________________________________Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com Yahoo! for Good Click here to donate to the Hurricane Katrina relief effort.

Next Message by Thread:

RE: OpenSSH for Windows and key authentication

Mike, This page may or may not be of some help to you. This is how I did private/public keys for OpenSSH for Windows on an XP Pro box acting as the server and using PuTTY as the client (also on an XP Pro box)... http://theillustratednetwork.mvps.org/RemoteDesktop/SSH-RDP-VNC/OpenSSH/Private-publicKey.html Al

Subject: Re: OpenSSH for Windows and key authentication -msg#00015