This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: IBM ssh gateway

From: "Larry Hall (Cygwin)" <reply-to-list-only-lh at cygwin dot com>
To: cygwin at cygwin dot com
Date: Wed, 01 Feb 2012 23:38:59 -0500
Subject: Re: IBM ssh gateway
References: <201202011046.40681.swampdog@ntlworld.com> <201202011442.50193.swampdog@ntlworld.com> <4F297EA3.20008@cygwin.com> <201202012311.29012.swampdog@ntlworld.com>
Reply-to: cygwin at cygwin dot com

On 2/1/2012 6:11 PM, Guy Harrison wrote:

On Wednesday 01 February 2012 18:04:19 Larry Hall (Cygwin) wrote:

On 2/1/2012 9:42 AM, Guy Harrison wrote:

Hi Ryan,

On Wednesday 01 February 2012 13:43:32 Ryan Johnson wrote:

On 01/02/2012 5:46 AM, Guy Harrison wrote:

Hi Folks,

Can anyone help interpret this? I am fairly certain the problem lies
with IBM but I am no crypto expert. Is (for instance) the server
rejecting the connection because (say) it does not understand ECDSA?
Unfortunately I do not have an older instance of cygwin ssh to try
that theory out. The failure is recent. I upgraded my cygwin
instances over xmas.

My primary concern is that the latter (linux) connection (after ~~~)
may fail after a future upgrade.


I would definitely check with your local network security folks. When
I was last at IBM I had trouble connecting from a certain machine --
just that one -- and nobody could figure out why. Finally, it turned
out that I had a lot of locales installed and the long list of
supported languages announced by my ssh client triggered some firewall
rule.


Unfortunately I forgot to mention the problem occurs both from my home
network and via my work network (which I could easily have believed was
at fault - they've messed with it a lot recently). The ~~~ linux box
above connects via my home network but I have an aix box at work that
also connects successfully whereas work cygwin (that's on XP) fails in
the same fashion as my original post.


So you're defining a successful connection as one where any key file is
ignored/invalidated and you're left to login with your password?


Yes. Only password authentification is allowed on that IP address. Once
connected, it is possible to connect to virtual machines we have set up via
our company account. Ordinarily our usual scenario is to connect to the
gateway with a username plus forward some local ports..

	<example>
$ ssh \
         -L "$RHE55_SSH"":""$RHE55":22 \
         -L "$RHE55_VNC"":""$RHE55":5900 \
         -L "$RHE55_SQL"":""$RHE55":3306 \
  \
         "$SSH_USER"@"$SSH_GATE"
	</example>

..which will facilitate subsequent key authentification via the local port..

	<example>
$ ssh -p $RHE55_SSH -YC \
	-o UserKnownHostsFile=/dev/null \
	-o StrictHostKeyChecking=no \
	$SSH_USER@localhost "$@"
	</example>

..unfortunately I can't post the value for SSH_USER but as previously posted
SSH_GATE is "198.81.193.104". Is it possible for others to try..
$ ssh -vv 198.81.193.104
..as that's enough to trigger the fault.


Indeed.  I do see that even if I limit authentication methods to password.
And it does go through OK if I use a web client (serfish).

--
Larry

_____________________________________________________________________

A: Yes.
> Q: Are you sure?
>> A: Because it reverses the logical flow of conversation.
>>> Q: Why is top posting annoying in email?

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Follow-Ups:
- Re: IBM ssh gateway
  - From: Guy Harrison

References:
- IBM ssh gateway
  - From: Guy Harrison
- Re: IBM ssh gateway
  - From: Guy Harrison
- Re: IBM ssh gateway
  - From: Larry Hall (Cygwin)
- Re: IBM ssh gateway
  - From: Guy Harrison

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]