We have installed Cygwin on a Windows Server 2008 Standard server and it working pretty well. Unfortunately we still have a big problem. We want to connect using a public key through SSH which doesn't work. It always falls back to using password login.
We have appended our public key to ~/.ssh/authorized_keys
on the server and we have our private and public key in ~/.ssh/id_dsa
respective ~/.ssh/id_dsa.pub
on the client.
When debugging the SSH login session we see that the key is offered by the server apparently rejects it by some unknown reason.
The SSH output when connecting from an Ubuntu 9.10 desktop with debug information enabled:
$ ssh -v 192.168.10.11
OpenSSH_5.1p1 Debian-6ubuntu2, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /home/myuseraccount/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for
debug1: Connecting to 192.168.10.11 [192.168.10.11] port 22.
debug1: Connection established.
debug1: identity file /home/myuseraccount/.ssh/identity type -1
debug1: identity file /home/myuseraccount/.ssh/id_rsa type -1
debug1: identity file /home/myuseraccount/.ssh/id_dsa type 2
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-6ubuntu2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '192.168.10.11' is known and matches the RSA host key.
debug1: Found key in /home/myuseraccount/.ssh/known_hosts:12
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /home/myuseraccount/.ssh/id_dsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /home/myuseraccount/.ssh/identity
debug1: Trying private key: /home/myuseraccount/.ssh/id_rsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password
[email protected]'s password:
The version of Cygwin:
$ uname -a
CYGWIN_NT-6.0 servername 1.7.1(0.218/5/3) 2009-12-07 11:48 i686 Cygwin
The installed packages:
$ cygcheck -c
Cygwin Package Information
Package Version Status
_update-info-dir 00871-1 OK
alternatives 1.3.30c-10 OK
arj 3.10.22-1 OK
aspell 0.60.5-1 OK
aspell-en 6.0.0-1 OK
aspell-sv 0.50.2-2 OK
autossh 1.4b-1 OK
base-cygwin 2.1-1 OK
base-files 3.9-3 OK
base-passwd 3.1-1 OK
bash 3.2.49-23 OK
bash-completion 1.1-2 OK
bc 1.06-2 OK
bzip2 1.0.5-10 OK
cabextract 1.1-1 OK
compface 1.5.2-1 OK
coreutils 7.0-2 OK
cron 4.1-59 OK
crypt 1.1-1 OK
csih 0.9.1-1 OK
curl 7.19.6-1 OK
cvs 1.12.13-10 OK
cvsutils 0.2.5-1 OK
cygrunsrv 1.34-1 OK
cygutils 1.4.2-1 OK
cygwin 1.7.1-1 OK
cygwin-doc 1.5-1 OK
cygwin-x-doc 1.1.0-1 OK
dash 0.5.5.1-2 OK
diffutils 2.8.7-2 OK
doxygen 1.6.1-2 OK
e2fsprogs 1.35-3 OK
editrights 1.01-2 OK
emacs 23.1-10 OK
emacs-X11 23.1-10 OK
file 5.04-1 OK
findutils 4.5.5-1 OK
flip 1.19-1 OK
font-adobe-dpi75 1.0.1-1 OK
font-alias 1.0.2-1 OK
font-encodings 1.0.3-1 OK
font-misc-misc 1.1.0-1 OK
fontconfig 2.8.0-1 OK
gamin 0.1.10-10 OK
gawk 3.1.7-1 OK
gettext 0.17-11 OK
gnome-icon-theme 2.28.0-1 OK
grep 2.5.4-2 OK
groff 1.19.2-2 OK
gvim 7.2.264-1 OK
gzip 1.3.12-2 OK
hicolor-icon-theme 0.11-1 OK
inetutils 1.5-6 OK
ipc-utils 1.0-1 OK
keychain 2.6.8-1 OK
less 429-1 OK
libaspell15 0.60.5-1 OK
libatk1.0_0 1.28.0-1 OK
libaudio2 1.9.2-1 OK
libbz2_1 1.0.5-10 OK
libcairo2 1.8.8-1 OK
libcurl4 7.19.6-1 OK
libdb4.2 4.2.52.5-2 OK
libdb4.5 4.5.20.2-2 OK
libexpat1 2.0.1-1 OK
libfam0 0.1.10-10 OK
libfontconfig1 2.8.0-1 OK
libfontenc1 1.0.5-1 OK
libfreetype6 2.3.12-1 OK
libgcc1 4.3.4-3 OK
libgdbm4 1.8.3-20 OK
libgdk_pixbuf2.0_0 2.18.6-1 OK
libgif4 4.1.6-10 OK
libGL1 7.6.1-1 OK
libglib2.0_0 2.22.4-2 OK
libglitz1 0.5.6-10 OK
libgmp3 4.3.1-3 OK
libgtk2.0_0 2.18.6-1 OK
libICE6 1.0.6-1 OK
libiconv2 1.13.1-1 OK
libidn11 1.16-1 OK
libintl3 0.14.5-1 OK
libintl8 0.17-11 OK
libjasper1 1.900.1-1 OK
libjbig2 2.0-11 OK
libjpeg62 6b-21 OK
libjpeg7 7-10 OK
liblzma1 4.999.9beta-10 OK
libncurses10 5.7-18 OK
libncurses8 5.5-10 OK
libncurses9 5.7-16 OK
libopenldap2_3_0 2.3.43-1 OK
libpango1.0_0 1.26.2-1 OK
libpcre0 8.00-1 OK
libpixman1_0 0.16.6-1 OK
libpng12 1.2.35-10 OK
libpopt0 1.6.4-4 OK
libpq5 8.2.11-1 OK
libreadline6 5.2.14-12 OK
libreadline7 6.0.3-2 OK
libsasl2 2.1.19-3 OK
libSM6 1.1.1-1 OK
libssh2_1 1.2.2-1 OK
libssp0 4.3.4-3 OK
libstdc++6 4.3.4-3 OK
libtiff5 3.9.2-1 OK
libwrap0 7.6-20 OK
libX11_6 1.3.3-1 OK
libXau6 1.0.5-1 OK
libXaw3d7 1.5D-8 OK
libXaw7 1.0.7-1 OK
libxcb-render-util0 0.3.6-1 OK
libxcb-render0 1.5-1 OK
libxcb1 1.5-1 OK
libXcomposite1 0.4.1-1 OK
libXcursor1 1.1.10-1 OK
libXdamage1 1.1.2-1 OK
libXdmcp6 1.0.3-1 OK
libXext6 1.1.1-1 OK
libXfixes3 4.0.4-1 OK
libXft2 2.1.14-1 OK
libXi6 1.3-1 OK
libXinerama1 1.1-1 OK
libxkbfile1 1.0.6-1 OK
libxml2 2.7.6-1 OK
libXmu6 1.0.5-1 OK
libXmuu1 1.0.5-1 OK
libXpm4 3.5.8-1 OK
libXrandr2 1.3.0-10 OK
libXrender1 0.9.5-1 OK
libXt6 1.0.7-1 OK
links 1.00pre20-1 OK
login 1.10-10 OK
luit 1.0.5-1 OK
lynx 2.8.5-4 OK
man 1.6e-1 OK
minires 1.02-1 OK
mkfontdir 1.0.5-1 OK
mkfontscale 1.0.7-1 OK
openssh 5.4p1-1 OK
openssl 0.9.8m-1 OK
patch 2.5.8-9 OK
patchutils 0.3.1-1 OK
perl 5.10.1-3 OK
rebase 3.0.1-1 OK
run 1.1.12-11 OK
screen 4.0.3-5 OK
sed 4.1.5-2 OK
shared-mime-info 0.70-1 OK
tar 1.22.90-1 OK
terminfo 5.7_20091114-13 OK
terminfo0 5.5_20061104-11 OK
texinfo 4.13-3 OK
tidy 041206-1 OK
time 1.7-2 OK
tzcode 2009k-1 OK
unzip 6.0-10 OK
util-linux 2.14.1-1 OK
vim 7.2.264-2 OK
wget 1.11.4-4 OK
which 2.20-2 OK
wput 0.6.1-2 OK
xauth 1.0.4-1 OK
xclipboard 1.1.0-1 OK
xcursor-themes 1.0.2-1 OK
xemacs 21.4.22-1 OK
xemacs-emacs-common 21.4.22-1 OK
xemacs-sumo 2007-04-27-1 OK
xemacs-tags 21.4.22-1 OK
xeyes 1.1.0-1 OK
xinit 1.2.1-1 OK
xinput 1.5.0-1 OK
xkbcomp 1.1.1-1 OK
xkeyboard-config 1.8-1 OK
xkill 1.0.2-1 OK
xmodmap 1.0.4-1 OK
xorg-docs 1.5-1 OK
xorg-server 1.7.6-2 OK
xrdb 1.0.6-1 OK
xset 1.1.0-1 OK
xterm 255-1 OK
xz 4.999.9beta-10 OK
zip 3.0-11 OK
zlib 1.2.3-10 OK
zlib-devel 1.2.3-10 OK
zlib0 1.2.3-10 OK
The ssh deamon configuration file:
$ cat /etc/sshd_config
# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/bin:/usr/sbin:/sbin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh_host_rsa_key
#HostKey /etc/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin yes
StrictModes no
#MaxAuthTries 6
#MaxSessions 10
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
AllowAgentForwarding yes
AllowTcpForwarding yes
GatewayPorts yes
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost no
#PrintMotd yes
#PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp /usr/sbin/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
#X11Forwarding yes
#AllowTcpForwarding yes
#ForceCommand cvs server
I hope this information is enough to solve the problem. In case any more is needed please comment and I'll add it. Thank you for reading!
A colleague encountered that issue last week and he eventually tracked it down to the primary group in /etc/passwd needing to be local admin.
Make sure that the access rights for your
~/.ssh/
and underlying files is 700 or less. Otherwise ssh will ignore your authorized keys.I have three accounts on one machine (Mac OSX) and I setup all of their .ssh/authorized_keys files to contain the id_rsa.pub of the other two. But I could not "ssh" into one of these accounts from either of the other two, yet they could "ssh" to each other.
The answer came from a blog entitled
Debugging SSH public key authentication problems
. My "bad" account had group and public "write" permissions on its home directory. All I had to do waswhere yourname is the bad account, and you are logged into that account, or using "sudo" (root) privileges. Check it out. It worked for me.
Good luck getting an account you log into via Cygwin and sshkey to do any sort of privileged task. I had a problem with this a while ago:
http://www.cygwin.com/ml/cygwin/2007-06/msg00252.html
I ended up implementing a VPN instead, so you can use native Windows tools.
For search purpose: For me it only works, when the private key is named id_rsa. In your verbose message u see, that this is the pattern he looks per default.
otherwise you have to name it "ssh -i .ssh/keyname user@server"