Openssh

That's the wonder of the Internet :) Better check your firewall to see if only the necessary ports are available for the Internet to see on the Windows 2003 box.

The general advisory is that only open ports for those who need to access it. Otherwise, keep everything inaccessible to the outside.

They are not hackers, most likely a robot that tries dumb users/passwords all the time until they crack in. Then, these IP's and passwords are sent over to someone who could use your server for just about anything.

Ok, first, as long as you are running your ssh server on port 22, you will see 20-30 brute force attempts per hour - they scan networks looking for open ssh ports, and are sufficiently dumb that they keep trying.

either lock down the port to just the ips of your clients, or move to a different port (such as 22222 or something) so the bulk of the stupids will not see your server and move along.

second, key based auth is significantly more secure than password protected auth (and if password auth is disabled, again, almost all the stupids will move on and bother someone else)

In order for keypair based auth to work, you must import the private key into the client and the public key into a special subdir of the user's home dir (this location is configurable in the sshd conf file, but defaults to home dir/.ssh/ and the file is called authorized_keys )

for testing, I would suggest using putty ( http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html ) - not only is it much easier, but comes with a key generator for key based auth (puttygen)

Thanks for the helpful info guys. Since this will be for by some external users I cannot disable external access and it would probably be a little difficult to know what IPs to allow unless they have static IPs. Moving to a different port sounds like a better bet. I assume this is done on the firewall?

As far as access goes I did import the private key to my workstation and the public key to the authorized_keys file. When I looked into the authorized_keys file it was empty so I copied and pasted the key into the file. I created a passphrase to go along with the key file. Apparently when the passphrase fails the client then prompts for a password.

for changing the port - no, you do that in the sshd_config (although you can do that on the firewall too - its a case of setting the static NAT on the firewall to map one port to another. its easier to just change the port in sshd_config though - look for a line near the top reading "Port 22")

Similarly, to disable password auth, find a line "#PasswordAuthentication yes" in the config, remove the # from the start, and change "yes" to "no"

This will allow *only* key based auth, with no password auth supported.

Ok. Thanks. I had Cisco change it on the firewall. I also changed the PasswordAuthentication to no. But it did not like my passphrase either.

setting passwordauthentication to no should prevent it from even asking for your password - you are then required to use a public/private key (so should only be set once you are sure that is working)

it does require a restart of the sshd though - which may be why you aren't seeing it work yet.

It is not the password authentication I am asking about, it is the passphrase that is not working. When I make the connecyion it does except the key file but does not accept the passphrase even after recreating it. I rebooted after doing it. What am I missing? I installed and configuered openssh and created the key pair from links I got here and followed the instructions but I just followed steps because I did not understand what I was doing so it could be I missed something. I am using version 3.81 of openssh

I pulled this out of the event viewer:

 Authentication refused: bad ownership or modes for file /home/domain_user/.ssh/authorized_keys.

I went into the sshd_config file and set "StrictMode No" and restarted the service.
When I try to connect and enter the Passphrase I get this in the event Viewer

The description for Event ID ( 0 ) in Source ( sshd ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: sshd : PID 1472 : fatal: setreuid 19575: Permission denied.

well, usually openssh on windows uses the cygwin stuff for auth, so if you want to auth using WINDOWS credentials, you need two things;

one is a system environment variable called CYGWIN (which must be set to "ntsec tty")

and the second is a file called passwd in /etc (ssh /etc, which is usually a subdir of the installed openssh package)

normally you create this with the program mkpasswd. if your machine is standalone, then the command is:

mkpasswd -l > /etc/passwd

or if you are a member of an AD domain, then you will want:

mkpasswd -u username -d domain > /etc/passwd

you can combine the two, and do the second command with >> if you want to append rather than replace. But bottom line is you need a line in /etc/passwd to log in as a user, and the login name is case sensitive.

Thanks for your response DaveHowe. I am trying to get the key and passphrase combination to work. I disabled password authentication in the sshd_config file. The error above is the error I got after I disabled it and tried again after a reboot.

ah, ok. the passphrase for key-and-passphrase is set locally on the key, not on the server side.  it is added security for the secret key, nothing to do with the server.

however, if I were getting that error on a sshd server on linux, I would assume the permissions on the authorized key file were wrong - this file must not be world writable.

Ok thanks for the info.  Initially while trying to figure out what was wrong I checked the authorized key file and saw that it was empty. I set the the permissions to full so that I could copy and paste the key to it. What permissions should I have?

It should be read only for all but owner.
If someone else could put their key in there, they could log in as you :)

Ok thanks for all your help. Much appreciated

I am still getting the same error. If I unininstall and reinstall yet again is there a good how to article on configuring openssh on windows 2003 or do you think the readme files that come with the installation are sufficient?

Ok. One last question. If I use domain accounts istead of local accounts do I use domain/users when I specify the user account?

no. basically, there will be a file (/etc/passwd) which has a simple username in it, and a GUID that cygwin uses to link it to the account - the username you use is exactly the username in that file.

Ok. Thank you for all your.