SSH to work without a password between CentOS & Cygwin

timmywo · 07-31-2010, 04:46 AM

CentOS 5.4
Cygwin CYGWIN_NT-6.0-WOW64 1.7.5(0.225/5/3)

Hi,

I'm trying to setup password-less login from my CnetOS server to Win 2008 Server via ssh.

I have followed the fab walk-through here and many others.

When i try to connect I get this msg after a few seconds delay...

Code:

Connection closed by 10.8.0.6

When ran with ssh -vv...

Code:

[smegadmin@s ~]$ ssh -vv 10.8.0.6
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 10.8.0.6 [10.8.0.6] port 22.
debug1: Connection established.
debug1: identity file /home/smegadmin/.ssh/identity type -1
debug1: identity file /home/smegadmin/.ssh/id_rsa type -1
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type '-----END'
debug1: identity file /home/smegadmin/.ssh/id_dsa type 2
debug1: loaded 3 keys
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5
debug1: match: OpenSSH_5.5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 117/256
debug2: bits set: 457/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '10.8.0.6' is known and matches the RSA host key.
debug1: Found key in /home/smegadmin/.ssh/known_hosts:1
debug2: bits set: 531/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/smegadmin/.ssh/identity ((nil))
debug2: key: /home/smegadmin/.ssh/id_rsa ((nil))
debug2: key: /home/smegadmin/.ssh/id_dsa (0x2ab0cde63310)
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /home/smegadmin/.ssh/identity
debug1: Trying private key: /home/smegadmin/.ssh/id_rsa
debug1: Offering public key: /home/smegadmin/.ssh/id_dsa
debug2: we sent a publickey packet, wait for reply
Connection closed by 10.8.0.6
[smegadmin@s ~]$

Im a little lost at what to try next, in the end i plan to run rsync over this.

Can anyone give any suggestions from the output above?

thanks in advance!
tim

tronayne · 07-31-2010, 06:30 AM

When you generated the keys (with ssh-keygen) did you hit the return for the pass phrase?

Did you copy the "doy-pub" file to the other machine and save it in authorized_keys in the ~/.ssh directory?

Do you have a ~/.ssh/conf file containing, roughly, this

Code:

Host hostname-of-the-other-machine
Compression yes
Protocol 2,1
User user-name-on-the-other-machine

Host *
ForwardX11 no

The conf file is not necessary, but it makes life a little easier; it's local to this user, not system-wide.

Can you simply

Code:

ssh hostname

and get a connection (in both directions)?

Do you have the host names in /etc/hosts (it looks like you're using fixed-IP)? The form is

Code:

address     host.domain host

Trick: when you generate the keys, copy the dot-pub file to a file named host (where "host" is the name of this machine); that way, you won't accidentally overwrite the dot-pub on the other one.

Hope this helps some.

timmywo · 07-31-2010, 08:15 AM

Hi tronayne,

return for the pass phrase? - yep!

"doy-pub" file - my public key was not called that but I have copied the text from it into the ~/.ssh/authorized_keys file on the client connecting to

Do you have a ~/.ssh/conf file - nope, but i do now. I have done this only on the client connecting to and used IP not host name

Can you simply ssh hostname - yep fine for both ways once I get rind of the keys

Do you have the host names in /etc/hosts - im using IPs only, so dont think this matters?

with the new conf file on the client still the same result

if you have any more suggestions please let me know

timmywo · 08-07-2010, 02:19 AM

hey, if anyone had any suggestions - still stuck on this

toothandnail · 08-07-2010, 07:44 AM

Looking at your debug output, you haven't specified the user name. I would noramlly expect to use 'ssh <someusername>@<someserver or IP>. I suspect ssh would be very confused without a user nane specified for the server

I would also look at how you copied the public key to the server - I had one user who cut 'n pasted the key, which will cause problems every time. Other than that, it should certainly work. I use keys to log into a number of remote systems, never had a problem with it....

Paul.

timmywo · 08-07-2010, 07:57 AM

hi,

the user name is the same on both boxes. i tired with adding the username but same result

i copied the key via winSCP and ran "$ cat /id_dsa.pub >> ~/.ssh/authorized_keys" on the win server via ssh

I guess thats ok?

toothandnail · 08-08-2010, 01:07 AM

Quote:

Originally Posted by timomer

hi,

the user name is the same on both boxes. i tired with adding the username but same result

Looking at the man page, I see there is some allowance to store identity information, so maybe that is why you don't need to specify user name. I'll have to check that some more - I didn't know it existed...

Quote:

i copied the key via winSCP and ran "$ cat /id_dsa.pub >> ~/.ssh/authorized_keys" on the win server via ssh

I guess thats ok?

I would have thought so. I do wonder a bit though - looking at your debug output, there are these two lines:

Code:

debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type '-----END'

which makes me think the key is not being properly rcognized. If you check the ~/.ssh/authorized_keys, what does the file look like? It should be a single line, no wrapping, and none of the ones I've looked at have '----BEGIN' in them. Usually a single line of characters followed by an '== <usernae>@<machine>

On a couple of machines, I had to produce two authroized_keys files, one named 'authorized_key' and the other 'authroized_keys2'. That may be specific to some version of OpenSSH though, don't know.

I've just commisionsed a new server in my home network. I'll try setting up keys for it and see how it goes. The only other difference I can see is that all my keys have been generated under Linux, not Windows, though I have used Putty to convert some keys for use when I have to be in Windows.

Paul.

timmywo · 08-08-2010, 02:07 AM

Hey Paul - many thanks for your reply!

username - sure, as i have tried with and without I guess that's not the cause of this issue

Output from

Code:

cat .ssh/id_dsa.pub

- on the linux box connecting from

Code:

cat .ssh/authorized_keys

- on the Win box connecting to
Is the same on both servers

The

Quote:

debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type '-----END'

Is from the private key on the Linux server, for example it starts with...

Code:

[smegadmin@s ~]$ cat .ssh/id_dsa
-----BEGIN DSA PRIVATE KEY-----
MIIBugIBAAKBgQDgk8hOGSMrb3Xh9...

Is this the same for you?

Have created a 'authroized_keys2' but results are the same

The keys have been generated on my Linux server and copied to the Win server that's using Cygwin - is this the same setup you have? - im starting to believe that maybe Cygwin is the problem?

toothandnail · 08-08-2010, 03:06 AM

Quote:

Originally Posted by timomer

Hey Paul - many thanks for your reply!

No problem. Its interesting - I use something similar every day, but almost always Linux - Linux....

Quote:

Username - sure, as i have tried with and without I guess that's not the cause of this issue

Fair enough. I've never seen SSH used without a username, but my situation is different - I'm usually loging into a remote server as root.

Quote:

Output from

Code:

cat .ssh/id_dsa.pub

- on the linux box connecting from

Code:

cat .ssh/authorized_keys

- on the Win box connecting to
Is the same on both servers

Oh well, there goes that theory.

Quote:

The

Is from the private key on the Linux server, for example it starts with...

Code:

[smegadmin@s ~]$ cat .ssh/id_dsa
-----BEGIN DSA PRIVATE KEY-----
MIIBugIBAAKBgQDgk8hOGSMrb3Xh9...

Is this the same for you?

Yes, though I don't use DSA keys (all RSA here). I've not looked at the private key for a long time, so had forgotten the format. I'm still puzzled as to the error generated by the --BEGIN and --END lines, since I assume that error is having to come from SSH running under CentOS. From what you say, CentOS generated the key pair, so I don't understand why it should have difficulty with it. Given that the error comes from the private key, I would be inclined to rule Cygwin out as being the cause of the problem - it should know nothing about the private key.

Quote:

Have created a 'authroized_keys2' but results are the same

The keys have been generated on my Linux server and copied to the Win server that's using Cygwin - is this the same setup you have? - im starting to believe that maybe Cygwin is the problem?

My situation is a bit different. I maitain a number of SME servers for local small businesses. SME is based on CentOS 4.xx, so its a bit out of date. I have things set up so that I can SSH into the servers from remote to do normal admin. Since the logins are over the internet, my public/private key pair are protected by a passphrase and I have the SSH daemon listening on a non-standard port. However, in a couple of instances, I log into a gateway server and need to get to an internal sever. For those instances, I've set up pretty much exactly what you're trying to do - I've copied the public key from the gateway server to ~/.ssh/authorized_keys on the internal server (in these instances, there is no passphrase) and can then SSH from the gateway server to the internal server. The only difference there is that these are all Linux boxen - no Windows involved.

I've not played with Cygwin for a long time (don't run Windows much), but I'll see if I can set it up to use SSH in my local network - I do have an XP box (customer repair) which I can install it on and try it out. Be a few hours - I'm on shift for another 10 hours yet.

Paul.

timmywo · 08-08-2010, 03:26 AM

Hey Paul, thank you! if there is any extra info i can give please let me know.

fyi - the reason for this is that I have a web server and an OpenVPN connection from it to my home Windows Server. I'm not worried about using a passphrase as the connections only allowed over the VPN.

hmm - OpenVPN, maybe should of said this at the start. But all works fine over that connection including SSH without keys