SSH – Client – Error – Permission Denied (on MS OS / Cygwin)

SSH – Client – Error – Permission Denied (on MS OS / Cygwin)

A good friend installed and configured CYGWIN for me. Obviously CYGWIN allows one to use and play with Unix\Linux Application and commands on a Windows box.

As background, let us give names to the machines in our topology.

  • Laptop –> irving
  • MS Windows Cygwin Server –> dori
  • Linux SSH Server –>ilan
  • MS Windows DB Server –> elior

One of the things, I traditionally need to do is issue SSH Tunneling commands.

On my Cygwin Server (dori), I have a script that contains statements similar to the following:



  Syntax:

    ssh -CfNL <localport>:<destAddress>:<destPort> <sshServer>

  Example:

    ssh -CfNL 50101:elior:1433 ilan

 

So everything works when I connect from my laptop and ask ssh to forward my ssh private key.

So the steps that work are:

  • On laptop (irving), connect over ssh to Cygwin server ( ssh -A dori)
  • On Same terminal window, issue commands that creates tunnel

But, when I am connected to the Cygwin server (dori) and try creating same ssh connections, things break.
BTW,  to per-use the Cygwin Terminal and issue Shell commands:

  • Click on the “Cygwin Terminal” icon
  • Which launches the terminal mode by calling “C:\cygwin\bin\mintty.exe -i /Cygwin-Terminal.ico -“

And, there you have it a nice Terminal Shell.

Cygwin Server -- SSH Terminal

So I issue:

ssh -CfNL 50101:elior:1433 ilan

But, I get the following error:

Permission denied (publickey)

Lived with the problem for a while.  But, wanted to dig a bit deeper this morning.  And, so took advice of a friend who helped me with SSH problems over a year ago.

The advice is to issue the ssh command in debug mode (-v).  And, for that sake for even more verbose use -vvv.

On my Cygwin server (dori), I issue:

ssh -v -CfNL 50101:elior:1433 ilan

I now have a lot more error log to parse:



debug1: Connecting to ilan [10.0.7.18] port 22.
debug1: Connection established.
debug1: identity file /home/dadeniji/.ssh/id_rsa type 2
debug1: identity file /home/dadeniji/.ssh/id_rsa-cert type -1
debug1: identity file /home/dadeniji/.ssh/id_dsa type 2
debug1: identity file /home/dadeniji/.ssh/id_dsa-cert type -1
debug1: identity file /home/dadeniji/.ssh/id_ecdsa type -1
debug1: identity file /home/dadeniji/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.5
debug1: match: OpenSSH_4.5 pat OpenSSH_4*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 zlib@openssh.com
debug1: kex: client->server aes128-ctr hmac-md5 zlib@openssh.com
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 
debug1: Host 'ilan' is known and matches the RSA host key.
debug1: Found key in /home/dadeniji/.ssh/known_hosts:7
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received

********************************************************************************
*                               !!! WARNING !!!                                *
********************************************************************************
* This system is a restricted access system. All activity on this system is    *
* subject to monitoring. Information collected that is malicious, unauthorized *
* or unlawful may be provided to the relevant authorities for further action.  *
* By continuing past this point, you expressly consent to this monitoring.     *
********************************************************************************

debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering DSA public key: /home/dadeniji/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: Offering DSA public key: /home/dadeniji/.ssh/id_dsa
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/dadeniji/.ssh/id_ecdsa
debug1: No more authentication methods to try.
Permission denied (publickey).

The error log seems to support the following:

  • Our public key (/home/dadeniji/.ssh/id_rsa) was tried three times and it failed all 3 times
  • Our private key (/home/dadeniji/.ssh/id_ecdsa) was attempted once.  In our case, we have not yet instituted private keys on the ssh server.

Knowing that somehow we seem to having problems with how personal public key and not so much general Infrastructure or specific SSH Server made it likely that if I proceed on my own, I will be Ok.

First let us replace our public key on the Cygwin Server (dori) with the working one from my desktop (irving):

  • Judging from the captured log, Cywgin uses the private key saved in /home/<username>/.ssh.
  • As our windows user name is dadeniji the full’s file name is /home/dadeniji/.ssh/id_rsa
  • So backup the file /home/dadeniji/.ssh/id_rsa — In our case, we copied (cp) it to  /home/dadeniji/.ssh/id_rsa__20130309


+ ssh -vvv -CfNL 20903:elior:1433 ilan
OpenSSH_5.9p1, OpenSSL 0.9.8t 18 Jan 2012
debug1: Reading configuration data /etc/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to ilan [10.0.4.18] port 22.
debug1: Connection established.
debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/dadeniji/.ssh/id_rsa" as a RSA1 public key
debug1: identity file /home/dadeniji/.ssh/id_rsa type 1
debug1: identity file /home/dadeniji/.ssh/id_rsa-cert type -1
debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/dadeniji/.ssh/id_dsa" as a RSA1 public key
debug1: identity file /home/dadeniji/.ssh/id_dsa type 2
debug1: identity file /home/dadeniji/.ssh/id_dsa-cert type -1
debug1: identity file /home/dadeniji/.ssh/id_ecdsa type -1
debug1: identity file /home/dadeniji/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.5
debug1: match: OpenSSH_4.5 pat OpenSSH_4*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "ilan" from file "/home/dadeniji/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /home/dadeniji/.ssh/known_hosts:7
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-dss-cert-v00@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: zlib@openssh.com,zlib,none
debug2: kex_parse_kexinit: zlib@openssh.com,zlib,none
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 zlib@openssh.com
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 zlib@openssh.com
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 133/256
debug2: bits set: 472/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 
debug3: load_hostkeys: loading entries for host "ilan" from file "/home/dadeniji/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /home/dadeniji/.ssh/known_hosts:7
debug3: load_hostkeys: loaded 1 keys
debug3: load_hostkeys: loading entries for host "10.0.4.18" from file "/home/dadeniji/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /home/dadeniji/.ssh/known_hosts:7
debug3: load_hostkeys: loaded 1 keys
debug1: Host 'ilan' is known and matches the RSA host key.
debug1: Found key in /home/dadeniji/.ssh/known_hosts:7
debug2: bits set: 504/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/dadeniji/.ssh/id_rsa (0x80047438)
debug2: key: /home/dadeniji/.ssh/id_dsa (0x80049be8)
debug2: key: /home/dadeniji/.ssh/id_ecdsa (0x0)
debug3: input_userauth_banner

********************************************************************************
*                               !!! WARNING !!!                                *
********************************************************************************
* This system is a restricted access system. All activity on this system is    *
* subject to monitoring. Information collected that is malicious, unauthorized *
* or unlawful may be provided to the relevant authorities for further action.  *
* By continuing past this point, you expressly consent to this monitoring.     *
********************************************************************************

debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/dadeniji/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug2: input_userauth_pk_ok: fp 
debug3: sign_and_send_pubkey: RSA 
debug1: key_parse_private_pem: PEM_read_PrivateKey failed
debug1: read PEM private key done: type 
debug1: read PEM private key done: type RSA
debug1: Enabling compression at level 6.
debug1: Authentication succeeded (publickey).
Authenticated to ilan ([10.0.4.18]:22).
debug1: Local connections to LOCALHOST:20903 forwarded to remote address elior:1433
debug3: channel_setup_fwd_listener: type 2 wildcard 0 addr NULL
debug3: sock_set_v6only: set socket 4 IPV6_V6ONLY
debug1: Local forwarding listening on ::1 port 20903.
debug2: fd 4 setting O_NONBLOCK
debug3: fd 4 is O_NONBLOCK
debug1: channel 0: new [port listener]
debug1: Local forwarding listening on 127.0.0.1 port 20903.

Thanks goodness, we are now good.  Our log, has all the good stuff.

  • Authentication succeeded (public key).  Authentication to <ssh server>
  • Local connections to LOCALHOST:<local ssh port number> forwarded to remote address <remote ssh address>:<remote ssh port>
  • Local forwarding listening on ::1 port <local ssh port number>
  • Local forwarding listening on 127.0.0.1 port <local ssh port number>

BTW, if you have numerous ssh tunnels to create be sure to use “ssh-agent”.  The use of ssh-agent allows you to persist your passphrase.  And, not have to enter it repeatedly.

Ramesh Natarajan has a nice post on it.  And, I knowing so little, was able to follow and use it within a few minutes:

Perform SSH and SCP Without Entering Password on openSSH:

http://www.thegeekstuff.com/2008/06/perform-ssh-and-scp-without-entering-password-on-openssh/

The two most useful commands for me at this time are :

  • Start SSH Agent (ssh-agent $SHELL)
  • Load SSH Key into SSH-Agent (ssh-add)

ssh-agent


ssh-agent $SHELL

 

ssh-add


ssh-add

SSH-Agent Management

ssh relay management

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s