Solved

Openssh

Posted on 2011-03-11
21
763 Views
Last Modified: 2012-05-11
I recently installed openssh on a windows 2003 ENT box with the help of EE. I created the Public/Private key pair. I am using Cyber Duck to test and I keep getting a login failure. When I check the event logs I see a lot of sshd events from external IPs attempting to connect. Are hackers trying to connect? How do they even Know this box is available? The box is sitting in a DMZ.
0
Comment
Question by:InSearchOf
  • 11
  • 9
21 Comments
 
LVL 5

Expert Comment

by:tiago_aviz
ID: 35108050
That's the wonder of the Internet :) Better check your firewall to see if only the necessary ports are available for the Internet to see on the Windows 2003 box.

The general advisory is that only open ports for those who need to access it. Otherwise, keep everything inaccessible to the outside.

They are not hackers, most likely a robot that tries dumb users/passwords all the time until they crack in. Then, these IP's and passwords are sent over to someone who could use your server for just about anything.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 35108160
Ok, first, as long as you are running your ssh server on port 22, you will see 20-30 brute force attempts per hour - they scan networks looking for open ssh ports, and are sufficiently dumb that they keep trying.

either lock down the port to just the ips of your clients, or move to a different port (such as 22222 or something) so the bulk of the stupids will not see your server and move along.

second, key based auth is significantly more secure than password protected auth (and if password auth is disabled, again, almost all the stupids will move on and bother someone else)

In order for keypair based auth to work, you must import the private key into the client and the public key into a special subdir of the user's home dir (this location is configurable in the sshd conf file, but defaults to home dir/.ssh/ and the file is called authorized_keys )

for testing, I would suggest using putty ( http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html ) - not only is it much easier, but comes with a key generator for key based auth (puttygen)
0
 

Author Comment

by:InSearchOf
ID: 35109494
Thanks for the helpful info guys. Since this will be for by some external users I cannot disable external access and it would probably be a little difficult to know what IPs to allow unless they have static IPs. Moving to a different port sounds like a better bet. I assume this is done on the firewall?

As far as access goes I did import the private key to my workstation and the public key to the authorized_keys file. When I looked into the authorized_keys file it was empty so I copied and pasted the key into the file. I created a passphrase to go along with the key file. Apparently when the passphrase fails the client then prompts for a password.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 35110622
for changing the port - no, you do that in the sshd_config (although you can do that on the firewall too - its a case of setting the static NAT on the firewall to map one port to another. its easier to just change the port in sshd_config though - look for a line near the top reading "Port 22")

Similarly, to disable password auth, find a line "#PasswordAuthentication yes" in the config, remove the # from the start, and change "yes" to "no"

This will allow *only* key based auth, with no password auth supported.
0
 

Author Comment

by:InSearchOf
ID: 35111154
Ok. Thanks. I had Cisco change it on the firewall. I also changed the PasswordAuthentication to no. But it did not like my passphrase either.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 35111978
setting passwordauthentication to no should prevent it from even asking for your password - you are then required to use a public/private key (so should only be set once you are sure that is working)

it does require a restart of the sshd though - which may be why you aren't seeing it work yet.
0
 

Author Comment

by:InSearchOf
ID: 35115895
It is not the password authentication I am asking about, it is the passphrase that is not working. When I make the connecyion it does except the key file but does not accept the passphrase even after recreating it. I rebooted after doing it. What am I missing? I installed and configuered openssh and created the key pair from links I got here and followed the instructions but I just followed steps because I did not understand what I was doing so it could be I missed something. I am using version 3.81 of openssh
0
 

Author Comment

by:InSearchOf
ID: 35116017
I pulled this out of the event viewer:

 Authentication refused: bad ownership or modes for file /home/domain_user/.ssh/authorized_keys.
0
 

Author Comment

by:InSearchOf
ID: 35116086
I went into the sshd_config file and set "StrictMode No" and restarted the service.
When I try to connect and enter the Passphrase I get this in the event Viewer

The description for Event ID ( 0 ) in Source ( sshd ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: sshd : PID 1472 : fatal: setreuid 19575: Permission denied.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 35116471
well, usually openssh on windows uses the cygwin stuff for auth, so if you want to auth using WINDOWS credentials, you need two things;

one is a system environment variable called CYGWIN (which must be set to "ntsec tty")

and the second is a file called passwd in /etc (ssh /etc, which is usually a subdir of the installed openssh package)

normally you create this with the program mkpasswd. if your machine is standalone, then the command is:

mkpasswd -l > /etc/passwd

or if you are a member of an AD domain, then you will want:

mkpasswd -u username -d domain > /etc/passwd

you can combine the two, and do the second command with >> if you want to append rather than replace. But bottom line is you need a line in /etc/passwd to log in as a user, and the login name is case sensitive.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:InSearchOf
ID: 35122325
Thanks for your response DaveHowe. I am trying to get the key and passphrase combination to work. I disabled password authentication in the sshd_config file. The error above is the error I got after I disabled it and tried again after a reboot.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 35122468
ah, ok. the passphrase for key-and-passphrase is set locally on the key, not on the server side.  it is added security for the secret key, nothing to do with the server.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 35122480
however, if I were getting that error on a sshd server on linux, I would assume the permissions on the authorized key file were wrong - this file must not be world writable.
0
 

Author Comment

by:InSearchOf
ID: 35127329
Ok thanks for the info.  Initially while trying to figure out what was wrong I checked the authorized key file and saw that it was empty. I set the the permissions to full so that I could copy and paste the key to it. What permissions should I have?
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 35127506
It should be read only for all but owner.
If someone else could put their key in there, they could log in as you :)
0
 

Author Comment

by:InSearchOf
ID: 35131180
Ok thanks for all your help. Much appreciated
0
 

Author Comment

by:InSearchOf
ID: 35131890
I am still getting the same error. If I unininstall and reinstall yet again is there a good how to article on configuring openssh on windows 2003 or do you think the readme files that come with the installation are sufficient?
0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 35133315
0
 

Author Comment

by:InSearchOf
ID: 35136775
Ok. One last question. If I use domain accounts istead of local accounts do I use domain/users when I specify the user account?
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 35137605
no. basically, there will be a file (/etc/passwd) which has a simple username in it, and a GUID that cygwin uses to link it to the account - the username you use is exactly the username in that file.
0
 

Author Comment

by:InSearchOf
ID: 35139279
Ok. Thank you for all your.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now