Windows Cygwin OpenSSH

[melfineo]

Hi all, I am just enjoying my first experience with UNIX type stuff but I am completely stumped with syntax etc. I have installed OpenSSH on my windows machine which is a working nicley and I can gain access using putty. I am however trying to set up public key authentication and turn off passwords but am not having much luck. I have managed to turn password authentication off in the sshd_config file and key auth is enabled for rsa and dsa. I kind of need a setp by step guide. At the moment I am just being told key refused.

I have tried creating some keys with the keygen util within cygwin which get created in my home\.ssh folder and converting the private key into putty format using puttygen and using that in putty. I am not sure about an authorized_keys file, how to create it and where it should go I think this maybe where I am going wrong. I have also tried generating both keys with puttygen but get the same message.

Another thing I would like to know how to do is to be able to look at the log which shows logon attempts but I have no idea how to do this?

Any help would be greatly appreciated!

 

[thedaver]

Which part of that has to do with a linux machine? Unclear.

D.E.R. Management - IT Project Management Consulting

http://www.dermanagement.com/

 

[melfineo]

Hi thedaver

Apologies, I thought that with Cygwin being a Linux like environment for windows and that OpenSSH runs on it this would be the most likely forum to post my question in. Will it be okay for me to post this in Windows forums as well or can it be moved?

 

[Annihilannic]

There should be a hidden .ssh directory under your home directory in Cygwin. You should create your keys in there using OpenSSH ssh-keygen, and then you can simply copy or rename the id_xyz.pub file to authorized_keys. Import the private key (id_xyz into PuTTY using puttygen, specify it in the Connection / SSH / Auth section in the PuTTY config for your connection, and that should do the trick.

Annihilannic.

 

[melfineo]

I keep getting a key refused message for some reason.

I have tried as you suggested as well as the instructions here:

http://www.linux-sxs.org/networking/openssh.putty.html

Password authentication is working okay but I want to turn it off.

this is the etc/sshd_config file:

# $OpenBSD: sshd_config,v 1.77 2008/02/08 23:24:07 djm Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/bin:/usr/sbin:/sbin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

Port 40101
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh_host_rsa_key
HostKey /etc/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin no
StrictModes yes
MaxAuthTries 3

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
IgnoreUserKnownHosts yes
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords no

# Change to no to disable s/key passwords
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no

#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none

# no default banner path
Banner /etc/banner.txt

# override default of no subsystems
Subsystem sftp /usr/sbin/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server

 

[Voja]

If you want to turn off pass. auth. then change:

PasswordAuthentication yes

to no, and restart ssh daemon.

If your key gets refused, it could be that you have not set restrictive ownership on the .ssh directory, but you should also bear in mind that putty key generator and ssh are not the same. What I usually do is to convert putty's key with puttygen, as I recall it's -i or -e option, to import key and you make an output to auth. keys file.
If you don't find what I'm talking about in man pages of ssh-keygen, I'll try to make a key like that (haven't made a key recently).

 

[Annihilannic]

Try running the sshd in debugging mode (the -d option), that will give you the reason why it's refusing the key authentication.

Annihilannic.

 

[melfineo]

Thanks for the advice, I have finally got it working!

I created the keys with putty and imported the public key to ssh as suggested.

$ ssh-keygen -i -f id_rsa >> .ssh/authorized_keys

I then ran

$ chmod 755 ~
$ chmod 755 ~/.ssh
$ chmod 644 ~/.ssh/authorized_keys

And Bob's your uncle.

 

[Annihilannic]

For future reference, I have written a FAQ on debugging SSH authentication issues as this comes up quite often:

http://www.tek-tips.com/faqs.cfm?fid=6934

Annihilannic.