Upgraded to copssh 3.0 authentication fails now

12 replies [Last post]
noons
Offline
Joined: 09.10.2009

I upgraded to copssh 3.0 and authentication fails now. I get an error stating that the user is unable to login due to too man failed attempts. This will do this as soon as I enter the user name. I am using a 4096 RSA key generated with puttygen and have disabled password authentication. I even tried recreating the user key and settings. Nothing seems to work is anyone else seeing this same error? As soon as I downgraded to the previous version I was able to authenticate again with no issues.

Northern Jeff
Offline
Joined: 06.10.2009

We are having the same problem. We cannot get key authentication to work in version 3.0.0 and we are sure all keys are in the correct locations, are correctly placed, and that permissions are all correct. Key authentication worked in the previous version for us (using the same keys in the same locations on the same machine) but not in this one. We have tried re-creating the authorized_keys files but to no avail. Should this work in version 3.0.0 and has anybody got it to? We get an identical response from different client software (server refused key) whether the PubkeyAuthentication value in the sshd_config file is set to yes or no. 

tk
Offline
Joined: 01.05.2008

copSSH veriosn 3.0.1 is now released and should solve the problem.

GMcDonnell
Offline
Joined: 01.11.2009

I had an earlier version installed (2.something), it was working fine. I thine installed 3.0.1 and am now having the same problem.

 

I am running on Server 2008 64 bit and have reproduced the problem on Server 2008 R2 64 bit. I have not tried it on Server 2003.

 

Is this a rights issue or a bug or ?? I really need to get this working quickly.

gpeiffer
Offline
Joined: 02.11.2009

I updated my server CopSSH v.1.4.5 to v3.0.1 and am having the same issue reported by others where  Public Key Authentication is failing when sftping to the server.  Password Auth works fine.

If I add the user to the admin group of the server I can login with public key auth.  However, I really don't want this as a permanent solution.  Anyone know how to solve this?

My server is running Windows Server 2003.

One thing to note.  If I setup my account as /bin/bash I can connect using pubkey auth as an SSH session but still can't with an SFTP session.  Don't know why ssh works but sftp doesn't.  Has anyone seen this behavior before?

gpeiffer
Offline
Joined: 02.11.2009

After searching around the internet I found that if I edit the sshd_config file and change the line listing the sftp subsystem (should appear near the bottom of the file) from :

 Subsystem sftp /bin/sftp-server

to:

Subsystem sftp internal-sftp

 then I can SFTP using publickey authentication for a non-administrator user.  I don't know if this will solve everyone's problem but it did solve mine.   If anyone knows why the one would work when the other doesn't I'd love to know.

PeterBoard (not verified)

I am also having this same issue. However not on all the servers we manage. Some authenticate fine with keys, others don't. We are using the same key pair for a common account across these servers.

I tried the subsystem sftp internal-sftp, but that didn't change anything for me. Both shell and sftp sessions don't work on these boxes. Password authentication does work however.

Debug output of SSHD on a box where its not working - Hope this might help someone workout whats not happening. 

c:\progra~1\openssh\bin\sshd -d -d -d

debug2: load_server_config: filename /etc/sshd_config
debug2: load_server_config: done config len = 210
debug2: parse_server_config: config /etc/sshd_config len 210
debug3: /etc/sshd_config:11 setting Port 22
debug3: /etc/sshd_config:12 setting Protocol 2
debug3: /etc/sshd_config:13 setting ListenAddress 0.0.0.0
debug3: /etc/sshd_config:38 setting StrictModes yes
debug3: /etc/sshd_config:72 setting UsePrivilegeSeparation yes
debug3: /etc/sshd_config:85 setting Subsystem sftp    /bin/sftp-server
debug1: sshd version OpenSSH_5.3p1
debug3: Not a RSA1 key file /etc/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug3: Not a RSA1 key file /etc/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/cygdrive/c/progra~1/openssh/bin/sshd'
debug1: rexec_argv[1]='-d'
debug1: rexec_argv[2]='-d'
debug1: rexec_argv[3]='-d'
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug1: fd 4 clearing O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 7 config len 210
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7
debug1: inetd sockets after dupping: 3, 3
Connection from <ip removed> port 3728
debug1: Client protocol version 2.0; client software version PuTTY-Release-0.53b

debug1: no match: PuTTY-Release-0.53b
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug2: fd 3 setting O_NONBLOCK
debug2: Network child is on pid 5808
debug3: preauth child monitor started
debug3: mm_request_receive entering
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug3: Wrote 784 bytes for a total of 805
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-g
roup-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour12
8,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rij
ndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour12
8,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rij
ndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-gro
up1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes256-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.s
e,aes192-cbc,rijndael192-cbc,aes128-cbc,rijndael128-cbc,blowfish-cbc,3des-cbc
debug2: kex_parse_kexinit: aes256-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.s
e,aes192-cbc,rijndael192-cbc,aes128-cbc,rijndael128-cbc,blowfish-cbc,3des-cbc
debug2: kex_parse_kexinit: hmac-sha1,hmac-md5,none
debug2: kex_parse_kexinit: hmac-sha1,hmac-md5,none
debug2: kex_parse_kexinit: none,zlib,none
debug2: kex_parse_kexinit: none,zlib,none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-sha1
debug1: kex: client->server aes256-cbc hmac-sha1 none
debug2: mac_setup: found hmac-sha1
debug1: kex: server->client aes256-cbc hmac-sha1 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received
debug3: mm_request_send entering: type 0
debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI

debug3: monitor_read: checking request 0

debug3: mm_request_receive_expect entering: type 1

debug3: mm_answer_moduli: got parameters: 1024 2048 8192

debug3: mm_request_receive entering
debug3: mm_request_send entering: type 1
debug2: monitor_read: 0 used once, disabling now

debug3: mm_choose_dh: remaining
0

debug3: mm_request_receive enteringdebug1: SSH2_MSG_KEX_DH_GEX_GROUP sent

debug3: Wrote 280 bytes for a total of 1085
debug2: dh_gen_key: priv key bits set: 246/512
debug2: bits set: 1017/2048
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug2: bits set: 1051/2048
debug3: mm_key_sign entering
debug3: mm_request_send entering: type 4
debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN

debug3: monitor_read: checking
request 4

debug3: mm_request_receive_expect entering: type 5debug3: mm_answer_sign

debug3: mm_request_receive entering
debug3: mm_answer_sign: signature 0x10453380(271)
debug3: mm_request_send entering: type 5
debug2: monitor_read: 4 used once, disabling now

debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent

debug2: kex_derive_keysive entering

debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: Wrote 848 bytes for a total of 1933
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug3: Wrote 52 bytes for a total of 1985
debug1: userauth-request for user <username removed> service ssh-connection method none

debug1: attempt 0 failures 0
debug3: mm_getpwnamallow entering
debug3: mm_request_send entering: type 6
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM

debug3: monitor_read: checking request 6

debug3: mm_request_receive_expect entering: type 7

debug3: mm_answer_pwnamallow

debug3: mm_request_receive entering
debug3: Trying to reverse map address <ip removed>.
debug2: parse_server_config: config reprocess config len 210
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
debug3: mm_request_send entering: type 7
debug2: input_userauth_request: setting up authctxt for <username removed>

debug3: mm_inform_authserv entering

debug3: mm_request_send entering: type 3
debug2: input_userauth_request: try method none

debug3: monitor_read: checking request 3

debug3: mm_auth_password entering

debug3: mm_answer_authserv: service=ssh-connection, style=

debug3: mm_request_send entering: type 10

debug2: monitor_read: 3 used once, disabling now

debug3: mm_request_receive entering

debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD

debug3: mm_request_receive_expect entering: type 11

debug3: monitor_read: checking request 10

debug3: mm_request_receive entering

debug3: mm_answer_authpassword: sending result 0

debug3: mm_request_send entering: type 11
Failed none for <username removed> from <ip removed> port 3728 ssh2

debug3: mm_auth_password: user not authenticated

debug3: mm_request_receive entering
debug3: Wrote 84 bytes for a total of 2069
debug1: userauth-request for user <username removed> service ssh-connection method publickey
debug1: attempt 1 failures 0
debug2: input_userauth_request: try method publickey
debug1: test whether pkalg/pkblob are acceptable
debug3: mm_key_allowed entering
debug3: mm_request_send entering: type 20
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED

debug3: monitor_read: checking request 20

debug3: mm_request_receive_expect entering: type 21

debug3: mm_answer_keyallowed
entering

debug3: mm_request_receive entering

debug3: mm_answer_keyallowed: key_from_blob:
0x10454de0

debug1: temporarily_use_uid: 1007/545 (e=400/401)
seteuid 1007: Permission denied
debug1: do_cleanup
debug1: do_cleanup
 

 

PeterBoard (not verified)

I will try back track through versions to find one that works.

gpeiffer
Offline
Joined: 02.11.2009

Did you restart the Openssh SSHD service after you made the change?

PeterBoard (not verified)

I uninstalled CopSSH 3.0.1 first, so the service was shut down. I then reinstalled 2.1.1.

Of the boxes that I have deployed 3.0.1 to, 16 so far have been ok, 2 have had this problem.

PeterBoard (not verified)

I have another two more with this problem, but 8 more that are ok. Trying to figure out what's common between them.

I use the switch shell to provide a windows command prompt, it spawns an sh.exe process. On a few of these boxes that are not working I get the following message when I log in:

spawn_guts: CreateWindowStation failed, Win32 error 5

Any idea what this means?