sshd not working properly
Mario Emmenlauer
mario@emmenlauer.de
Fri Jan 17 14:37:56 GMT 2025
On 17.01.25 15:00, Corinna Vinschen via Cygwin wrote:
> On Jan 17 06:41, Brian Inglis via Cygwin wrote:
>> On 2025-01-17 05:51, Corinna Vinschen via Cygwin wrote:
>>> On Jan 17 11:59, Mario Emmenlauer via Cygwin wrote:
>>>> I am under the impression that there may be a misbehavior in more recent
>>>> Cygwin OpenSSH :-(
>>>>
>>>> I observe the same problem as Andy Wood was having, and found another
>>>> very recent identical report at https://serverfault.com/q/1168457/473559.
>>>> Their cases, as well as mine, seem to share, that OpenSSH can no longer
>>>> correctly authenticate as a user without having the plain text password
>>>> stored in the registry.
>>>>
>>>> In my case, this is exclusively limited to domain users. Local users
>>>> work correctly. I can see that at least one other report, the one at
>>>> Serverfault, is also for a domain user. Also, everything that is
>>>> reported at Serverfault applies basically identically to my case, i.e.
>>>> the connection being just dropped, and the only relevant message from
>>>> OpenSSH being "fatal: seteuid 4096: Function not implemented".
>>>
>>> I just tested this on my local W11 24H2 Enterprise installation with
>>> Cygwin 3.5.5 and OpenSSH 9.9p1 installed as service under the SYSTEM
>>> account, and it works fine for me in a Windows domain with one 2019 and
>>> one 2022 Domain Server.
I just realized that maybe I missed something important: My user accounts
are domain users from a company, but I think they are just registered with
Microsoft, is that possible? I'm an external user of that company, and the
computers are not in the company domain - I did not register them with any
particular domain server. From my naiive point of view, its just Microsoft
accounts, that happen to be for a company domain, and I can use them i.e.
with all the Microsoft online services like Office 365 or Visual Studio.
Could that be a problem, that I need to be in the company domain for things
to work, or that I need to register with a company domain server? I'm very
new to the whole Microsoft ecosystem :-/
>>> I tested with a user account in the administrators group as well as with
>>> a non-admin user account, and to both accounts I can login with pubkey
>>> authentication as expected.
>>>
>>> The error message "seteuid 4096: Function not implemented" is weird.
>>> The internal implementation only uses documented functions.
>>> Which Windows version are you running the service on exactly?
This is Windows 11 Pro 24H2, OS build 26100.2894, that was installed
newly from scratch just this week. Actually all my tested machines are
the same Windows and Cygwin versions, all newly installed this week,
albeit different hardware.
>>> Do you have any other entries in the server-side Windows Log, which may
>>> be connected, especially inside the Security log. Kerberos or so.
Yes, I do. The message shown above is the only one in the Application
event log. However, in the Security event log, there are events of type
"Audit Failure". The most relevant section seems to be "EventData",
that I copy here (with some comments from me, added at the end):
----
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: AIDAN07$ # my computer hostname
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name:
Account Domain: MYCOMPANY # the company name
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xC00000BB
Sub Status: 0x0
Process Information:
Caller Process ID: 0x3988
Caller Process Name: C:\cygwin64\usr\sbin\sshd-session.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Cygwin.1
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local
process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
----
I can not see any other relevant logs right now. I may need to enable
Cygwin logging, I guess? It will be more verbose? Is the guide at
https://superuser.com/a/1550243/1053994 suitable for modern Cygwin sshd
logging?
>>> Other than that, it might be prudent to run sshd in a SYSTEM shell
>>> under strace.
>>
>> Any chance the user is also running Windows sshd and tyhat has grabbed the port?
>
> Good point, worth checking...
Sorry, that was missing from my list: I'm running Cygwin sshd on custom
port 22120, but also checked, Windows OpenSSH is disabled.
All the best,
Mario
More information about the Cygwin
mailing list