This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: ssh configuration
Larry Hall (Cygwin) wrote:
>>
>> Here's the full info:
>>
>>> /usr/sbin/sshd.exe -d -d -d -D
>
> Running 'sshd.exe' as anyone other than SYSTEM (on WinXP and earlier
O/S's)
> is not recommended. See the email archives for a recipe about how to get
> a SYSTEM-owned shell to run 'sshd.exe' from if you want to run it from a
> shell.
Well, this is mainly just a test to see the output of sshd. sshd will
still get started by a service (presumably running under root) using
cygrunsrv.
>
> You certainly need to ru ssh-user-config to log through the 'sshd'
> server, so this is the correct thing to do.
Ok... so, I've done it. Here's the new log (with ugly errors), from ssh.
OpenSSH_4.6p1, OpenSSL 0.9.8e 23 Feb 2007
debug1: Reading configuration data /etc/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/gga/.ssh/identity type 0
debug3: Not a RSA1 key file /home/gga/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'Proc-Type:'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'DEK-Info:'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/gga/.ssh/id_rsa type 1
debug3: Not a RSA1 key file /home/gga/.ssh/id_dsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'Proc-Type:'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'DEK-Info:'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/gga/.ssh/id_dsa type 2
ssh_exchange_identification: read: Software caused connection abort
>>
>> More info:
>> - cygwin is installed on a FAT partition of a WinXP (SP1) box, with
>> latest patches.
>
> Ugh! You'll need to turn off 'StrictModes' in '/etc/sshd_config' for
> this to work. And that disables a large part of the security you get
> from OpenSSH. You should really consider switching to NTFS if you plan
> to use OpenSSH as any kind of security mechanism.
>
Interesting. Can you explain to me why the file system effects the
security of sshd? I'll admit I don't understand this. Why does ssh
care about it?
>> - I have at least one user without a password. I've also gone and
>> modified the ssh configuration file to add in sshd_config:
>> PermitEmptyPasswords no
>
> Perhaps this answers the question about whether you're looking for
> security from OpenSSH. ;-)
Hopefully not. I really cannot ask the user to login with a password
(he is too old a person) and I don't care too much about the security
within the LAN.
However, I do care about the security exposed to the net, and I want to
make sure this account without a password does not compromise security.
Under linux, PermitEmptyPasswords should do that for ssh connections.
I'm hoping this is the same for cygwin.
>
> 'Off' for some firewalls is the same as 'On'. They can be buggy. Try
> opening port 22 (assuming you didn't change this) for OpenSSH or
> uninstalling the firewall as a test.
>
Port 22 is already open, but I'm testing without the firewall just in
case, too. I'm using Filseclab Free Firewall, btw.
--
Gonzalo GarramuÃo
ggarra@advancedsl.com.ar
AMD4400 - ASUS48N-E
GeForce7300GT
Kubuntu Edgy
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/