Um colega encontrou esse problema na semana passada e ele eventualmente o rastreou até o grupo principal em / etc / passwd precisando ser administrador local.
Instalamos o Cygwin em um servidor Windows Server 2008 e ele funciona muito bem. Infelizmente ainda temos um grande problema. Queremos nos conectar usando uma chave pública através do SSH que não funciona. Sempre recorre ao uso de login por senha.
Acrescentamos nossa chave pública a ~/.ssh/authorized_keys no servidor e temos nossa chave privada e pública em ~/.ssh/id_dsa respect ~/.ssh/id_dsa.pub no cliente.
Ao depurar a sessão de login do SSH, vemos que a chave é oferecida pelo servidor, aparentemente, a rejeita por algum motivo desconhecido .
A saída SSH quando se conecta a partir de um desktop Ubuntu 9.10 com a informação de depuração ativada:
$ ssh -v 192.168.10.11
OpenSSH_5.1p1 Debian-6ubuntu2, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /home/myuseraccount/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for
debug1: Connecting to 192.168.10.11 [192.168.10.11] port 22.
debug1: Connection established.
debug1: identity file /home/myuseraccount/.ssh/identity type -1
debug1: identity file /home/myuseraccount/.ssh/id_rsa type -1
debug1: identity file /home/myuseraccount/.ssh/id_dsa type 2
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-6ubuntu2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '192.168.10.11' is known and matches the RSA host key.
debug1: Found key in /home/myuseraccount/.ssh/known_hosts:12
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /home/myuseraccount/.ssh/id_dsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /home/myuseraccount/.ssh/identity
debug1: Trying private key: /home/myuseraccount/.ssh/id_rsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password
[email protected]'s password:
A versão do Cygwin:
$ uname -a
CYGWIN_NT-6.0 servername 1.7.1(0.218/5/3) 2009-12-07 11:48 i686 Cygwin
Os pacotes instalados:
$ cygcheck -c
Cygwin Package Information
Package Version Status
_update-info-dir 00871-1 OK
alternatives 1.3.30c-10 OK
arj 3.10.22-1 OK
aspell 0.60.5-1 OK
aspell-en 6.0.0-1 OK
aspell-sv 0.50.2-2 OK
autossh 1.4b-1 OK
base-cygwin 2.1-1 OK
base-files 3.9-3 OK
base-passwd 3.1-1 OK
bash 3.2.49-23 OK
bash-completion 1.1-2 OK
bc 1.06-2 OK
bzip2 1.0.5-10 OK
cabextract 1.1-1 OK
compface 1.5.2-1 OK
coreutils 7.0-2 OK
cron 4.1-59 OK
crypt 1.1-1 OK
csih 0.9.1-1 OK
curl 7.19.6-1 OK
cvs 1.12.13-10 OK
cvsutils 0.2.5-1 OK
cygrunsrv 1.34-1 OK
cygutils 1.4.2-1 OK
cygwin 1.7.1-1 OK
cygwin-doc 1.5-1 OK
cygwin-x-doc 1.1.0-1 OK
dash 0.5.5.1-2 OK
diffutils 2.8.7-2 OK
doxygen 1.6.1-2 OK
e2fsprogs 1.35-3 OK
editrights 1.01-2 OK
emacs 23.1-10 OK
emacs-X11 23.1-10 OK
file 5.04-1 OK
findutils 4.5.5-1 OK
flip 1.19-1 OK
font-adobe-dpi75 1.0.1-1 OK
font-alias 1.0.2-1 OK
font-encodings 1.0.3-1 OK
font-misc-misc 1.1.0-1 OK
fontconfig 2.8.0-1 OK
gamin 0.1.10-10 OK
gawk 3.1.7-1 OK
gettext 0.17-11 OK
gnome-icon-theme 2.28.0-1 OK
grep 2.5.4-2 OK
groff 1.19.2-2 OK
gvim 7.2.264-1 OK
gzip 1.3.12-2 OK
hicolor-icon-theme 0.11-1 OK
inetutils 1.5-6 OK
ipc-utils 1.0-1 OK
keychain 2.6.8-1 OK
less 429-1 OK
libaspell15 0.60.5-1 OK
libatk1.0_0 1.28.0-1 OK
libaudio2 1.9.2-1 OK
libbz2_1 1.0.5-10 OK
libcairo2 1.8.8-1 OK
libcurl4 7.19.6-1 OK
libdb4.2 4.2.52.5-2 OK
libdb4.5 4.5.20.2-2 OK
libexpat1 2.0.1-1 OK
libfam0 0.1.10-10 OK
libfontconfig1 2.8.0-1 OK
libfontenc1 1.0.5-1 OK
libfreetype6 2.3.12-1 OK
libgcc1 4.3.4-3 OK
libgdbm4 1.8.3-20 OK
libgdk_pixbuf2.0_0 2.18.6-1 OK
libgif4 4.1.6-10 OK
libGL1 7.6.1-1 OK
libglib2.0_0 2.22.4-2 OK
libglitz1 0.5.6-10 OK
libgmp3 4.3.1-3 OK
libgtk2.0_0 2.18.6-1 OK
libICE6 1.0.6-1 OK
libiconv2 1.13.1-1 OK
libidn11 1.16-1 OK
libintl3 0.14.5-1 OK
libintl8 0.17-11 OK
libjasper1 1.900.1-1 OK
libjbig2 2.0-11 OK
libjpeg62 6b-21 OK
libjpeg7 7-10 OK
liblzma1 4.999.9beta-10 OK
libncurses10 5.7-18 OK
libncurses8 5.5-10 OK
libncurses9 5.7-16 OK
libopenldap2_3_0 2.3.43-1 OK
libpango1.0_0 1.26.2-1 OK
libpcre0 8.00-1 OK
libpixman1_0 0.16.6-1 OK
libpng12 1.2.35-10 OK
libpopt0 1.6.4-4 OK
libpq5 8.2.11-1 OK
libreadline6 5.2.14-12 OK
libreadline7 6.0.3-2 OK
libsasl2 2.1.19-3 OK
libSM6 1.1.1-1 OK
libssh2_1 1.2.2-1 OK
libssp0 4.3.4-3 OK
libstdc++6 4.3.4-3 OK
libtiff5 3.9.2-1 OK
libwrap0 7.6-20 OK
libX11_6 1.3.3-1 OK
libXau6 1.0.5-1 OK
libXaw3d7 1.5D-8 OK
libXaw7 1.0.7-1 OK
libxcb-render-util0 0.3.6-1 OK
libxcb-render0 1.5-1 OK
libxcb1 1.5-1 OK
libXcomposite1 0.4.1-1 OK
libXcursor1 1.1.10-1 OK
libXdamage1 1.1.2-1 OK
libXdmcp6 1.0.3-1 OK
libXext6 1.1.1-1 OK
libXfixes3 4.0.4-1 OK
libXft2 2.1.14-1 OK
libXi6 1.3-1 OK
libXinerama1 1.1-1 OK
libxkbfile1 1.0.6-1 OK
libxml2 2.7.6-1 OK
libXmu6 1.0.5-1 OK
libXmuu1 1.0.5-1 OK
libXpm4 3.5.8-1 OK
libXrandr2 1.3.0-10 OK
libXrender1 0.9.5-1 OK
libXt6 1.0.7-1 OK
links 1.00pre20-1 OK
login 1.10-10 OK
luit 1.0.5-1 OK
lynx 2.8.5-4 OK
man 1.6e-1 OK
minires 1.02-1 OK
mkfontdir 1.0.5-1 OK
mkfontscale 1.0.7-1 OK
openssh 5.4p1-1 OK
openssl 0.9.8m-1 OK
patch 2.5.8-9 OK
patchutils 0.3.1-1 OK
perl 5.10.1-3 OK
rebase 3.0.1-1 OK
run 1.1.12-11 OK
screen 4.0.3-5 OK
sed 4.1.5-2 OK
shared-mime-info 0.70-1 OK
tar 1.22.90-1 OK
terminfo 5.7_20091114-13 OK
terminfo0 5.5_20061104-11 OK
texinfo 4.13-3 OK
tidy 041206-1 OK
time 1.7-2 OK
tzcode 2009k-1 OK
unzip 6.0-10 OK
util-linux 2.14.1-1 OK
vim 7.2.264-2 OK
wget 1.11.4-4 OK
which 2.20-2 OK
wput 0.6.1-2 OK
xauth 1.0.4-1 OK
xclipboard 1.1.0-1 OK
xcursor-themes 1.0.2-1 OK
xemacs 21.4.22-1 OK
xemacs-emacs-common 21.4.22-1 OK
xemacs-sumo 2007-04-27-1 OK
xemacs-tags 21.4.22-1 OK
xeyes 1.1.0-1 OK
xinit 1.2.1-1 OK
xinput 1.5.0-1 OK
xkbcomp 1.1.1-1 OK
xkeyboard-config 1.8-1 OK
xkill 1.0.2-1 OK
xmodmap 1.0.4-1 OK
xorg-docs 1.5-1 OK
xorg-server 1.7.6-2 OK
xrdb 1.0.6-1 OK
xset 1.1.0-1 OK
xterm 255-1 OK
xz 4.999.9beta-10 OK
zip 3.0-11 OK
zlib 1.2.3-10 OK
zlib-devel 1.2.3-10 OK
zlib0 1.2.3-10 OK
O arquivo de configuração do deamon ssh:
$ cat /etc/sshd_config
# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/bin:/usr/sbin:/sbin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh_host_rsa_key
#HostKey /etc/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin yes
StrictModes no
#MaxAuthTries 6
#MaxSessions 10
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
AllowAgentForwarding yes
AllowTcpForwarding yes
GatewayPorts yes
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost no
#PrintMotd yes
#PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp /usr/sbin/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
#X11Forwarding yes
#AllowTcpForwarding yes
#ForceCommand cvs server
Espero que esta informação seja suficiente para resolver o problema. Caso seja necessário algum mais, por favor, comente e eu adicionarei. Obrigado pela leitura!
Verifique se os direitos de acesso dos arquivos ~/.ssh/ e subjacentes são 700 ou menos. Caso contrário, o ssh irá ignorar suas chaves autorizadas.
Eu tenho três contas em uma máquina (Mac OSX) e configuro todos os seus arquivos .ssh / authorized_keys para conter o id_rsa.pub dos outros dois. Mas eu não poderia "ssh" em uma dessas contas de qualquer um dos outros dois, mas eles poderiam "ssh" para o outro.
A resposta veio de um blog chamado Debugging SSH public key authentication problems . Minha conta "ruim" tinha permissões de "gravação" de grupo e públicas em seu diretório inicial. Tudo o que eu tinha que fazer era
chmod 755 /Users/yourname
em que yourname é a conta incorreta e você está conectado a essa conta ou usando privilégios "sudo" (root). Confira. Funcionou para mim.
Boa sorte em obter uma conta na qual você faz login via Cygwin e sshkey para fazer qualquer tipo de tarefa privilegiada. Eu tive um problema com isso há um tempo atrás:
Acabei implementando uma VPN, para que você possa usar ferramentas nativas do Windows.
Tags ssh cygwin public-key