Web lists-archives.com

ssh keys not working after server crash




Attached are the instructions I used about a year ago to install and it’s been working fine until about 3 weeks ago.  The server crashed (due to MS patches I believe) and when it came up the system didn’t look right..  I installed syslog-ng to see if it would help me get some logging.

Prior to the crash, users were restricted to their home directories..  Now I see dev in the folder list even though it was hidden before and fstab was not changed.
According to the instructions I used to install, /home was to be owned by cyg_server, but it shows as owned by Administrator now.  I suspect a permission problem I am having with ssh keys not working..

2017-10-11 19:30:04, 00001: Session(0AC80001): SENT : USERAUTH_REQUEST [none]
2017-10-11 19:30:04, 00001: Session(0AC80001): RECV : USERAUTH_FAILURE, continuations [publickey,password,keyboard-interactive]
2017-10-11 19:30:05, 00001: Session(0AC80001): SENT : USERAUTH_REQUEST [publickey (ssh-rsa) - unsigned,fingerprint (SHA-2 hash): 57:ed:24:74:ce:88:71:a8:15:ae:72:8a:dd:42:be:b6:76:8c:f2:65:f8:1b:41:29:92:95:63:1d:24:b4:d5:85]
2017-10-11 19:30:05, 00001: Session(0AC80001): SENT : USERAUTH_REQUEST [publickey (ssh-rsa) - unsigned,fingerprint (SHA-1 hash): 33:f2:36:9c:2f:45:7e:87:74:fb:d5:6e:ca:44:e6:99:03:53:80:c6]
2017-10-11 19:30:05, 00001: Session(0AC80001): SENT : USERAUTH_REQUEST [publickey (ssh-rsa) - unsigned,fingerprint (MD5 hash): ba:b7:6c:0b:88:87:74:c6:a0:eb:e5:bd:06:bb:53:10]
2017-10-11 19:30:05, 00001: Session(0AC80001): RECV : USERAUTH_FAILURE, continuations [publickey,password,keyboard-interactive]
2017-10-11 19:30:05, 00001: Session(0AC80001): SEND: Disconnect packet: The user canceled authentication.

Cygcheck attached.



-----Original Message-----
From: Marco Atzeri [mailto:marco.atzeri@xxxxxxxxx] 
Sent: Tuesday, October 17, 2017 11:33 AM
To: mailto:cygwin@xxxxxxxxxx; mailto:bmike.adkins@xxxxxxxxx
Subject: Re: Cygwin Help needed

On 17/10/2017 17:21, Mike Adkins wrote:
> It will not let me chown cyg_server /home

you should not do it.

> 
> From: Mike Adkins
> Sent: Tuesday, October 17, 2017 11:18 AM
> To: cygwin cygwin.com
> Subject: RE: Cygwin Help needed
> 
>   
> 
> Any help?

There was already an answer
https://cygwin.com/ml/cygwin/2017-10/msg00145.html

asking for more details mentioning the  guidelines for reporting problems at  https://cygwin.com/problems.html.
In particular, please attach output of
cygcheck -svr.

If you are not subscribed to the mail list I assume you have not received that reply.

Regards
MArco

Attachment: cygcheck.out
Description: Binary data

##########################################################################
####  STEP #0 = Install Cygwin and OpenSSH Files
##########################################################################
1) Download cygwin  & install / extract files 
2) Note always run all terminals as Administrator when doing the 
   instructions below


##########################################################################
####  STEP #1 = Create a Windows Users, Groups and User Directories
##########################################################################
1) For Example, create windows users sftpuser01, sftpuser02, sftpuser03
2) For Example, create windows group sftp_group
3) Place users in the sftp_group
4) Under windows create the Folder C:\SFTP_ROOT
5) Create a folder for each user, in my case its
   a) C:\SFTP_ROOT\sftpuser01
   b) C:\SFTP_ROOT\sftpuser02
   c) C:\SFTP_ROOT\sftpuser03



##########################################################################
####  STEP #2 = Open Cygwin Terminal Shell install SSH
##########################################################################
1) In the Cygwin Terminal Shell type
   export CYGWIN='ntsec tty'
   chmod 0755 /var
   ssh-host-config

Answers to the questions when prompted for from ssh-host-config
===================================================================
a) should strictmodes be used?  no
b) Should privilege separation be used? yes
c) New local account 'sshd'?  yes
d) do you want to install sshd as a service? yes
e) Enter the value of CYGWIN daemon?  sshd
f) do you want to use a different name? no
g) Create a new privileged user account 'cyg_server'?  yes



##########################################################################
####  STEP #3 = Create password and Group file
##########################################################################
1) Create the Password File and Group File, in the CygWin Termina type
   mkgroup > /etc/group 
   #for local users 
   mkpasswd -cl > /etc/passwd 
   #for domain users
   #mkpasswd -d > /etc/passwd 
   chmod +rw /etc/group
   chmod +rw /etc/passwd


##########################################################################
####  STEP #4 = Edit the FSTAB File system table
##########################################################################
1) Some FSTAB Entries for Your Reference
   http://cygwin.com/cygwin-ug-net/using.html#mount-table

2) Use these entries 
C:/cygwin64 / ntfs override,binary,noacl 0 0
C:/SFTP_ROOT /home ntfs override,binary,noacl 0 0
C:/cygwin64/bin /usr/bin ntfs override,binary,noacl 0 0
C:/cygwin64/lib /usr/lib ntfs override,binary,noacl 0 0
C:/cygwin64/etc/terminfo /usr/share/terminfo ntfs override,binary,noacl 0 0


##########################################################################
####  STEP #5 = Change the nsswitch.conf file
##########################################################################
1) This allows only users in the passwd file to login, otherwise if you
   specify "db" it allows users in the Active Directory to log in also

If you want User Login Access to be soley Controlled by PASSWD file not Active Directory
edit the /etc/nsswitch.conf
===========================================================================================
# /etc/nsswitch.conf
#
#    This file is read once by the first process in a Cygwin process tree.
#    To pick up changes, restart all Cygwin processes.  For a description
#    see https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-nsswitch
#
# Defaults:
# passwd:   files db
# group:    files db
# db_enum:  cache builtin
# db_home:  /home/%U
# db_shell: /bin/bash
# db_gecos: <empty>

passwd:   files
group:    files


##########################################################################
####  STEP #6 = Now Start the Service
##########################################################################
1) Start the Service
net stop sshd
net start sshd
netstat -a

2) Make sure to change the Firewall to allow for port 22



##########################################################################
####  STEP #7 = Restrict users to home dir
##########################################################################
0) Allow edit to sshd_config in cygwin terminal
chmod 777 /etc/sshd_config

1) Restrict users to home direct, edit the /etc/sshd_config add the lines below
   a) comment out
#Subsystem	sftp	/usr/sbin/sftp-server

   b) paste below the subsystem and match group
Subsystem sftp internal-sftp

Match group sftp_group
    ChrootDirectory /home/%u
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp

2) Edit the /etc/passwd file for the user "cyg_server" give it the root id of 0
   this is necessary for restricting the user to their own home directory
   cyg_server:*:0

3) Append these to /etc/fstab file, this will hid the /cygdrive and /dev folder 
   after you have restricted the user to the /home directory
/dev /null none bind
none / cygdrive user 0 0

4) Go into Cygwin Terminal assign cyg_server /home this is required
   for the restricting of the user to the home directory
chown cyg_server /home
chmod 0755 /home

5) Start the Service
net stop sshd
net start sshd




##########################################################################
####  OTHER Commands
##########################################################################
In the DOS Command Shell
============================
net stop sshd
net start sshd
netstat -a

Commands to remove the service in Cygwin
Run as Admin
==========================================
cygrunsrv -R sshd 

Commands to remove the service in DOS
Run as Admin
==========================================
SC delete sshd




--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple