I've setup Cygwin and want to ssh with domain user account on windows server 2012 R2. It works fine if I start the sshd service with "Local system account" but if I start the service with a cygserver local account or domain\cygserver then the service starts fine but when I try to ssh I see the message sshd: PID 1944: fatal: seteuid 1801: No such device or address.
ssh in verbose mode on the client shows the following:
debug1: Authentication succeeded (publickey).
Connection to 10.10.10.10 closed by remote host.
Connection to 10.10.10.10 closed.
debug1: Exit status -1
Some articles like https://blog.peterwurst.com/2016/09/15/ssh-server-on-windows-with-cygwin/ suggest to enable the following GPO with cygserver account in it. I tried them still the same error.
Act as part of the operating system
Create a token object
Log on as a service
Replace a process level token
I've verified .ssh and authorized_keys permission and the user home directory exists and also passwd file has the /bin/bash shell for the user.
Any suggestion on how to resolve this issue?
I had this issue, and the solution was to start the CYGWIN ntsec servicem, before starting the CYGWIN OpenSSH service.
Verify the subject user and SSHD account are not locked / disabled.
Confirm that password login works. PKI and password login take different paths to create a process token.
I also had this issue in the log
seteuid XXXXXXXX: No such device or address
and this made the trick
passwd -R
Related
I'm trying to SSH into AKS windows node using this reference which created debugging Linux node, and ssh into the windows node from the debugging node. Once I enter the Linux node and try to SSH into the windows node, it asks me to type in azureuser password like below:
azureuser#10.240.0.128's password:
Permission denied, please try again.
What is azureuser#(windows node internal IP address)'s password? Is it my azure service password or is it a WindowsProfileAdminUserPassword that I pass in when I create an AKS cluster using New-AzAksCluster cmdlet? Or is it my ssh keypair password? If I do not know what it is, is there a way I can reset it? Or is there a way I can create a Windows node free from credentials? Any help is appreciated. Thanks ahead!
It looks like you're trying to login with your password, not your ssh key. Look for the explanation between those methods. These are two different authentication methods. If you want to ssh to your node, you need to chose ssh with key authentication. You can do this by running the command:
ssh -i <id_rsa> azureuser#<your.ip.adress>
But before this, you need to create key pair. It is well done described in this section. Then you can create the SSH connection to a Linux node. You have everything described in detail, step by step, in the documentation you provide.
When you configure everything correctly, you will be able to log into the node using the ssh key pair. You won't need a password. When you execute the command
ssh -i <id_rsa> azureuser#<your.ip.adress>
you should see an output like this:
The authenticity of host '10.240.0.67 (10.240.0.67)' can't be established.
ECDSA key fingerprint is SHA256:1234567890abcdefghijklmnopqrstuvwxyzABCDEFG.
Are you sure you want to continue connecting (yes/no)? yes
[...]
Microsoft Windows [Version 10.0.17763.1935]
(c) 2018 Microsoft Corporation. All rights reserved.
When you see Are you sure you want to continue connecting (yes/no)? you need to write yes and confirm using Enter.
I successfully added remote (private) GitLab account under Windows 10 in GitAhead but under a Linux openSUSE Leap 15 I got "Connection failed: SSL handshake failed".
Note that I can clone, pull, fetch, commit, push in repositories from repositories in the GitLab I want to add, I also tried to reset SSH handshake with:
$ ssh-keygen -R gitlab.mydomain.net
# Host gitlab.mydomain.net found: line 31
/home/user/.ssh/known_hosts updated.
Original contents retained as /home/user/.ssh/known_hosts.old
$ ssh git#gitlab.mydomain.net
The authenticity of host 'gitlab.mydomain.net (<IP>)' can't be established.
ECDSA key fingerprint is SHA256:**************.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'gitlab.mydomain.net,<IP>' (ECDSA) to the list of known hosts.
Welcome to GitLab, #UserName!
Connection to gitlab.mydomain.net closed.
But it still does not work, anyone knows if there is something to configure to allow it under Linux ?
Thanks
For a starter, check the rights on directories on the server-side. The home-dir as well as the .ssh-dir should be treated with chmod 700. The same is true for the key files.
You should aim for a passwordless login on your server. As soon as this works, GitAhead should be fine. If you have a Git-Shell in your server-side /etc/passwd, replace it by /bin/sh for the sake of sending your pubkey: On the client, enter ssh-copy-id -i yourprivatekeyfile somerandomgituser#ipofyourgitserver. After that, if successful, you can reset the /etc/passwd line back to the Git-Shell.
First i will explain my architecture briefly
Openldap Server: Ubuntu 14.04 machine with openldap installed. I followed this article
https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-a-basic-ldap-server-on-an-ubuntu-12-04-vps
I have added schema for sshpublickey for every posix account
OpenLDAP client: Ubuntu 14.04 with libpam-ldap nscd installed. Again i followed digital ocean link.
https://www.digitalocean.com/community/tutorials/how-to-authenticate-client-computers-using-ldap-on-an-ubuntu-12-04-vps
I changed sshd_config file on OpenLDAP client machine and provided AuthorizedKeysCommand /my/script which queries ldap server and gets sshkey and then i have a key based ssh authentication.
This is working fine so far. Also i have a ubuntu user which is a local user and is not managed by LDAP.
Now when i stop the slapd daemon on Openldap Server machine then
my active ssh session as ubuntu user on client machine hangs(not able to restart any service or run basic commands like ls or cat). Even when i try to login into client machine as ubuntu user which is not managed by LDAP, it fails(it succeeds the authentication but fails to get enviornment variable and open an interactive session )
Excerpt from ssh -v ubuntu#IP
debug1: Authentication succeeded (publickey).
Authenticated to 54.200.221.217 ([54.200.221.217]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions#openssh.com
debug1: Entering interactive session.
It stucks there and then timedout.
What is the reason behind this? Also is there any flaw with my architecture. I don't want password based ssh as it is prone to hacking.
The reason is that you stopped slapd, of course, and the cure is not to do it. It should be running at all times.
I am running a Debian 7 Wheezy server and are having problems with connecting to other servers over SSH. This problem only occurs while running SSH through crontab, and not otherwise (logged in as the same user of course).
While running a ssh command as this user through crontab, I get the following problem:
Host key verification failed.
I have removed the ~/.ssh/known_hosts file and manually connected to the server in order for the host key to be correct.
When running SSH with the -v flag, I get the following:
debug1: read_passphrase: can't open /dev/tty: No such device or address
Host key verification failed.
If i list /dev/tty it has 666 permissions:
crw-rw-rw- 1 root root 5, 0 Jun 21 15:49 /dev/tty
I have also manually set the permissions to 666 after I listed /dev/tty in order to be entirely sure.
Why does SSH say it can't read /dev/tty? I've been exploring this for weeks and havn't found an answer. Does anyone have a clue?
I am trying to connect to a new user account I created via SSH with the command
useradd -s /bin/false -d /home/username james
I added/edited the password via SSH with the command
passwd james
When trying to connect to my server using this user and pass via FileZilla I get the following error messages.
Response: 331 User James OK. Password required
Command: PASS *****
Response: 530 Login authentication failed
Error: Critical error
Error: Could not connect to server
When I try to login with this user/pass through SFTP I get the following error messages
Status: Connected to domain.com
Error: Connection closed by server with exitcode 1
Error: Could not connect to server
Either way it seems it doesn't allow me to use this newuser anywhere.
My server details
Linux 2.6.18-308.11.1.el5 GNU/Linux
(Red Hat 4.1.2-52)
Centos
Regarding FTP, the FTP server commonly used on Linux systems requires users to have a shell that's listed in the file /etc/shells. For example, this online ftpd man page says that, among other things, "The user must have a standard shell returned by getusershell(3).". The page for getusershell() shows that it reads shells from /etc/shells.
You could probably make FTP work adding /bin/false to /etc/shells. Your Linux system might have a more suitable shell available, like /usr/sbin/nologin.
Regarding SFTP, the ssh server normally provides SFTP service by by invoking a program called sftp-server. If you examine the server's sshd_config file, you'll probably find a line like this:
Subsystem sftp /usr/lib/openssh/sftp-server
sshd runs the subsystem program as a shell command, using the user's shell. If you set the user's shell to /bin/false, then sshd ends up running the command:
/bin/false -c /usr/lib/openssh/sftp-server
/bin/false ignores its command-line arguments and exits with code 1, so the SFTP client's session drops immediately after it starts.
sshd has an internal SFTP server component that can be used instead of the external program. The usual way of limiting SSH access to SFTP for some users is to set up a Match group within sshd_config, forcing the internal-sftp command for certain classes of users. Here are a couple examples of that:
http://en.wikibooks.org/wiki/OpenSSH/Cookbook/SFTP#SFTP-only_Accounts
https://serverfault.com/questions/354615/allow-sftp-but-disallow-ssh
Dont use "-s /bin/false". Use "-s /sbin/nologin" instead and it should be fine.
Make sure your account password hasn't expired. Mine did, and Filezilla exited with error code 1.
After logging onto the server and updating the account password (prompted immediately after connecting), I am now able to connect with SFTP & Filezilla.
Probably is a password related issue, check account
chage -l <user>
account must not be expired.
FTP doesn't allow /usr/sbin/nologin user
Response: 220 Welcome to the Scent Library's File Service.
Command: USER ftpuser
Response: 331 Please specify the password.
Command: PASS ******
Response: 530 Login incorrect.
filezilla 530 error - but password is correct
vsftpd: 530 Login incorrect
530 Login or password incorrect!
How can I connect via FTP using FileZilla? I get a 530 error.
Response: 220 Welcome to Test FTP service.
Command: USER ftpuser
Response: 331 Please specify the password.
Command: PASS ******
Response: 530 Login incorrect.
Error: Critical error
Error: Could not connect to server
Change user's shell
usermod -s /usr/sbin/nologin username
Then edit "/etc/shells" file and add this line
/usr/sbin/nologin
In order to connect to the server using ftp, you also need to run a ftp server / service or daemon.
An example of such ftp server is "vsftpd"
After installing it, you will also need to configure it and allow anonymous ftp access or ftp access to existing users
You will find the configuration file in the path "/etc/vsftpd/vsftpd.conf"
The below link might be useful for you --
https://www.digitalocean.com/community/tutorials/how-to-set-up-vsftpd-on-centos-6--2