[ssh-l] Password problem setting up sshd with Cygwin on Windows 2000 Professional

My system is Windows 2000 Professional SP2 (with current patches), with
NTFS drives. I have followed the instructions on the SSHD Setup page
http://tech.erdelynet.com/cygwin-sshd.asp and also tried to search
through the list archives and other web sources to try to figure out the
problem with no success. (*A note: I had also many initial setup errors
while following the step-by-step SSHD Setup procedure on the site. I am
appending my notes on setup problems to the very bottom of this message,
below my immediate problem - under the sshd and ssh debug logs.)

After starting "/usr/sbin/sshd" manually and attempting to connect with
"ssh localhost" , when prompted for my password, I get the following
error:

Permission denied, please try again.

Does anyone have any other suggestions to troubleshoot my password
problem? I would really appreciate any suggestions.

Thank you.

Chris

-------------------------------

The /etc/passwd file:

everyone:*:0:0:,S-1-1-0::/bin/false
system:*:18:18:,S-1-5-18::/bin/false
admins:*:544:544:,S-1-5-32-544::/bin/false
admin:unused_by_nt/2000/xp:500:513:Administrator,U-ZEN\Administrator,S-1
-5-21-422539723-1927995588-1060284298-500:/home/Administrator:/bin/bash
zen:unused_by_nt/2000/xp:1000:513:zen,U-ZEN\zen,S-1-5-21-422539723-19279
95588-1340221298-1000:/home/zen:/bin/bash

---------------------------

Permissions:

zen@ZEN /etc
$ ls -al ssh*
-rw-rw-rw- 1 Administ Administ 955 Mar 25 00:47 ssh_config
-r-xr--r-- 1 SYSTEM SYSTEM 668 Mar 24 23:10 ssh_host_dsa_key
-r-xr-xr-x 1 Administ Administ 597 Mar 24 23:10
ssh_host_dsa_key.pub
-r-xr--r-- 1 SYSTEM SYSTEM 522 Mar 24 23:10 ssh_host_key
-r-xr-xr-x 1 Administ Administ 326 Mar 24 23:10 ssh_host_key.pub
-r-xr--r-- 1 SYSTEM SYSTEM 887 Mar 24 23:10 ssh_host_rsa_key
-r-xr-xr-x 1 Administ Administ 217 Mar 24 23:10
ssh_host_rsa_key.pub
-rw-rw-rw- 1 Administ Administ 1562 Mar 25 00:47 sshd_config

------------------------

I have tried the following changes (to the instructions on the SSHD
Setup page):

mkgroup -l > /etc/group

edit sshd_config: StrictModes yes

chown system.system /etc/ssh*key
 
chmod 0600 /etc/ssh*key

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet001\Services\sshd\Parameters
]
 "AppPath"="c:\cygwin\usr\sbin\sshd.exe"

change System Environment values to Cygwin=ntsec (from "ntsec tty") and
add Path and Cygwin variable also to User "zen" in addition to System

Remove sshd and setup again with "ssh-host-config -y" again, only
change: "CYGWIN=ntsec" instead of (ntsec tty). (* "note: install sshd as
a service?" is not a prompt, it just automatically seems to install)

---------------------------

My ssh and sshd debug logs:

*note: I get the same error trying ssh to zen, localhost or 127.0.0.1
zen is the machine name and also my user account (an admin account). I
know it might be confusing.

 - SSH LOG BELOW:

$ ssh -v ZEN
OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090603f
debug1: Reading configuration data /etc/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be
trusted.
debug1: restore_uid
debug1: ssh_connect: getuid 1000 geteuid 1000 anon 1
debug1: Connecting to ZEN [192.168.0.2] port 22.
debug1: temporarily_use_uid: 1000/513 (e=1000)
debug1: restore_uid
debug1: temporarily_use_uid: 1000/513 (e=1000)
debug1: restore_uid
debug1: Connection established.
debug1: read PEM private key done: type DSA
debug1: read PEM private key done: type RSA
debug1: identity file /home/zen/.ssh/identity type -1
debug1: identity file /home/zen/.ssh/id_rsa type -1
debug1: identity file /home/zen/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version
OpenSSH_3.1p1
debug1: match: OpenSSH_3.1p1 pat OpenSSH*
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.1p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 131/256
debug1: bits set: 1602/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
The authenticity of host 'zen (192.168.0.2)' can't be established.
RSA key fingerprint is f1:6c:df:af:19:b4:6c:09:14:f9:de:d7:d1:02:ab:c2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'zen,192.168.0.2' (RSA) to the list of known
hosts.
debug1: bits set: 1577/3191
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue:
publickey,password,keyboard-interacti
ve
debug1: next auth method to try is publickey
debug1: try privkey: /home/zen/.ssh/identity
debug1: try privkey: /home/zen/.ssh/id_rsa
debug1: try privkey: /home/zen/.ssh/id_dsa
debug1: next auth method to try is keyboard-interactive
debug1: authentications that can continue:
publickey,password,keyboard-interacti
ve
debug1: next auth method to try is password
zen@zen's password:
debug1: packet_send2: adding 64 (len 54 padlen 10 extra_pad 64)
debug1: authentications that can continue:
publickey,password,keyboard-interacti
ve
Permission denied, please try again.
zen@zen's password:

 - SSHD LOG BELOW:

zen@ZEN ~
$ /usr/sbin/sshd -D -d -d -d
debug1: sshd version OpenSSH_3.1p1
debug1: private host key: #0 type 0 RSA1
debug3: Not a RSA1 key file /etc/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug3: Not a RSA1 key file /etc/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
Generating 768 bit RSA key.
RSA key generation complete.
debug1: Server will not fork when running in debugging mode.
Connection from 192.168.0.2 port 1184
debug1: Client protocol version 2.0; client software version
OpenSSH_3.1p1
debug1: match: OpenSSH_3.1p1 pat OpenSSH*
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-1.99-OpenSSH_3.1p1
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-gro
up1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
aes192-cbc,aes256-cbc
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
aes192-cbc,aes256-cbc
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@open
ssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@open
ssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-gro
up1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
aes192-cbc,aes256-cbc
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
aes192-cbc,aes256-cbc
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@open
ssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@open
ssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: dh_gen_key: priv key bits set: 128/256
debug1: bits set: 1577/3191
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: bits set: 1602/3191
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user zen service ssh-connection method none
debug1: attempt 0 failures 0
debug2: input_userauth_request: setting up authctxt for zen
debug2: input_userauth_request: try method none
Failed none for zen from 192.168.0.2 port 1184 ssh2
debug1: userauth-request for user zen service ssh-connection method
keyboard-int
eractive
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method keyboard-interactive
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=zen devs=
debug1: kbdint_alloc: devices ''
debug2: auth2_challenge_start: devices
Failed keyboard-interactive for zen from 192.168.0.2 port 1184 ssh2
debug1: userauth-request for user zen service ssh-connection method
password
debug1: attempt 2 failures 2
debug2: input_userauth_request: try method password
Failed password for zen from 192.168.0.2 port 1184 ssh2

-------------------------------------------

* I had the following multiple problems/questions on the initial setup,
while following the step-by-step instructions:

Step 7.

$ . ~/fixperms.sh

Use this script at YOUR OWN RISK!
I have not had the opportunity to test this on all systems and cannot
predict the outcome on your system. Please read the man pages on the
commands in the script so you are sure what the commands are going to
do to your system. If you have questions or problems, please join my
bash: /home/zen/fixperms.sh: line 7: syntax error near unexpected token
`(h'
bash: /home/zen/fixperms.sh: line 7: `echo ssh-l mailing list
(http://tech.erdel
ynet.com/ssh-l.asp).'

ERROR HERE - the script halts.

I solved the problem by deleting the "echo" lines before "echo press
Enter to continue..." and saving it as "fixperms2.sh"

Changing ownership of all files to admins.
Removing write permissions for others and groups
Changing ownership of home directories
Changing /home/zen to be owned by zen.513
chown: changing ownership of `/home/zen': Permission denied
chown: changing ownership of `/home/zen/fixperms.sh': Permission denied
chown: changing ownership of `/home/zen/fixperms2.sh': Permission denied
Fixing /tmp
Fixing /etc
Fixing files in /
chmod: getting attributes of `/setup.log*': No such file or directory
Done.

Step 8.

should CYGWIN= be "ntsec tty" or "tty ntsec" ? In step 1 the
environment variable is set to "ntsec tty" but in step 8, it says to set
the variable to "tty ntsec" ? Is this a typo? Or should this value be
"binmode ntsec tty" ?

Do you want to install sshd as service?

Which value should the environment variable CYGWIN have when
sshd starts? It's recommended to set at least "ntsec" to be
able to change user context without password.
Default is "binmode ntsec tty". CYGWIN=ntsec tty

chown: changing ownership of `/etc/ssh_config': Permission denied
chown: changing ownership of `/etc/ssh_host_dsa_key': Permission denied
chown: changing ownership of `/etc/ssh_host_dsa_key.pub': Permission
denied
chown: changing ownership of `/etc/ssh_host_key': Permission denied
chown: changing ownership of `/etc/ssh_host_key.pub': Permission denied
chown: changing ownership of `/etc/ssh_host_rsa_key': Permission denied
chown: changing ownership of `/etc/ssh_host_rsa_key.pub': Permission
denied
chown: changing ownership of `/etc/sshd_config': Permission denied

Step 9.

$ chown 18:18 /var/log/sshd.log
chown: getting attributes of `/var/log/sshd.log': No such file or
directory

Step 10.

$ cygrunsrv -S sshd
cygrunsrv: Error starting a service: QueryServiceStatus: Win32 error
1062:
The service has not been started.

--
List Information: http://tech.erdelynet.com/maillist-ssh-l.asp
List Archives:    http://erdelynet.com/archive/ssh-l/