Non-interactive SSH connection fails - error: can't open /dev/tty: No such device or address - Host key verification failed

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Non-interactive SSH connection fails - error: can't open /dev/tty: No such device or address - Host key verification failed

Constantin Caraivan
Hello,

Below you can see the log. The connection is from a Windows 2008
Cygwin SSH client to a Windows 2008 Cygwin SSHD server.
The connection works ok when launched from the command line but fails
when launched from Jenkins (Java Continuous Integration server).
Jenkins actually creates a temporary batch script containing exactly
the same command I can run from the command line directly. So: manual
execution - ok, execution through the script - *ko*.
The /dev/tty file exists and is rw for everybody. I tried deleting it
and recreating it, but I can't since Cygwin recreates it before I can
create a link to /dev/ttySO.
The connection uses SSH keys with no passphrases.

Any other extra debugging ideas? By the way, where can I see the
Cygwin SSHD server logs? In /var/logs/sshd.log is empty :(

ssh -t -vvv [hidden email] 'mv -v
/cygdrive/z/deploy-scripts /cygdrive/z/deploy-scripts-`date
+%F_%H-%M-%S`'
OpenSSH_6.0p1, OpenSSL 1.0.1c 10 May 2012
Pseudo-terminal will not be allocated because stdin is not a terminal.
debug2: ssh_connect: needpriv 0
debug1: Connecting to server.company.com port 22.
debug1: Connection established.
debug1: identity file /.ssh/id_rsa type -1
debug1: identity file /.ssh/id_rsa-cert type -1
debug1: identity file /.ssh/id_dsa type -1
debug1: identity file /.ssh/id_dsa-cert type -1
debug1: identity file /.ssh/id_ecdsa type -1
debug1: identity file /.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9
debug1: match: OpenSSH_5.9 pat OpenSSH_5*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.0
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit:
[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[hidden email]
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[hidden email]
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,[hidden email],hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,[hidden email],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,[hidden email],hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,[hidden email],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[hidden email],zlib
debug2: kex_parse_kexinit: none,[hidden email],zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[hidden email]
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[hidden email]
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,[hidden email],hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,[hidden email],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,[hidden email],hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,[hidden email],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[hidden email]
debug2: kex_parse_kexinit: none,[hidden email]
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA
debug1: read_passphrase: can't open /dev/tty: No such device or address
Host key verification failed

Thank you,
_____________
Costin Caraivan

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Reply | Threaded
Open this post in threaded view
|

Re: Non-interactive SSH connection fails - error: can't open /dev/tty: No such device or address - Host key verification failed

Larry Hall (Cygwin)
On 8/23/2012 2:31 PM, Costin Caraivan wrote:

> Hello,
>
> Below you can see the log. The connection is from a Windows 2008
> Cygwin SSH client to a Windows 2008 Cygwin SSHD server.
> The connection works ok when launched from the command line but fails
> when launched from Jenkins (Java Continuous Integration server).
> Jenkins actually creates a temporary batch script containing exactly
> the same command I can run from the command line directly. So: manual
> execution - ok, execution through the script - *ko*.
> The /dev/tty file exists and is rw for everybody. I tried deleting it
> and recreating it, but I can't since Cygwin recreates it before I can
> create a link to /dev/ttySO.
> The connection uses SSH keys with no passphrases.

Can we see cygcheck -srv output for both machines?  Does it work going
from client to client or server to server (i.e. 1 machine only).  Are
you up-to-date?  If so, does the latest snapshot help?

<http://cygwin.com/snapshots/>

> Any other extra debugging ideas? By the way, where can I see the
> Cygwin SSHD server logs? In /var/logs/sshd.log is empty :(

'/var/log/sshd.log'.  But it will be empty if nothing noteworthy
has occurred.  If you want to see more chatter, add a new service entry
to run sshd with debug flags.  You can grab the details for how to set up
a sshd service from '/bin/ssh-host-config' but the basics are:

/usr/bin/cygrunsrv -I sshd_debug -d "CYGWIN Debug sshd" -p /usr/sbin/sshd -a
"-D -d -d -d" -y tcpip -u cyg_server -w <your cyg_server password here>

The three "-d" flags are the important part.  To start this service, use:

/usr/bin/cygrunsrv -S sshd_debug

This will need to be restarted with each connection attempt.  Also, you
should stop your regular sshd service while running this so they don't
conflict.

/usr/bin/cygrunsrv -E sshd

Apologies for typos.

--
Larry

_____________________________________________________________________

A: Yes.
 > Q: Are you sure?
 >> A: Because it reverses the logical flow of conversation.
 >>> Q: Why is top posting annoying in email?

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Reply | Threaded
Open this post in threaded view
|

Re: Non-interactive SSH connection fails - error: can't open /dev/tty: No such device or address - Host key verification failed

Constantin Caraivan
> Can we see cygcheck -srv output for both machines?  Does it work going
> from client to client or server to server (i.e. 1 machine only).  Are
> you up-to-date?  If so, does the latest snapshot help?

This is the output:
client: http://pastebin.com/Agv3tsNU
server: http://pastebin.com/w3MiS0Zi


> <http://cygwin.com/snapshots/>

I'd rather not update the installations until I'm sure that it's a Cygwin bug.


>> Any other extra debugging ideas? By the way, where can I see the
>> Cygwin SSHD server logs? In /var/logs/sshd.log is empty :(
>
>
> '/var/log/sshd.log'.  But it will be empty if nothing noteworthy
> has occurred.  If you want to see more chatter, add a new service entry
> to run sshd with debug flags.  You can grab the details for how to set up
> a sshd service from '/bin/ssh-host-config' but the basics are:
>
> /usr/bin/cygrunsrv -I sshd_debug -d "CYGWIN Debug sshd" -p /usr/sbin/sshd -a
> "-D -d -d -d" -y tcpip -u cyg_server -w <your cyg_server password here>
>
> The three "-d" flags are the important part.  To start this service, use:
>
> /usr/bin/cygrunsrv -S sshd_debug
>
> This will need to be restarted with each connection attempt.  Also, you
> should stop your regular sshd service while running this so they don't
> conflict.
>
> /usr/bin/cygrunsrv -E sshd
>
> Apologies for typos.
>
> --
> Larry

Thanks, I'll try the debugging option. I've tried creating a batch
script manually and launching the command. Is it possible that the
terminal type or the interactive/non-interactive influences the SSH
connection? Jenkins launches the batch script from Java, I'm not sure
exactly how, probably:
http://docs.oracle.com/javase/1.5.0/docs/api/java/lang/ProcessBuilder.html
When I create the script myself and launch it from bash or cmd.exe,
the command works. Not so from Jenkins.

The thing is, the same command used to work, and Jenkins itself hasn't
been updated. The server Cygwin also hasn't changed. So I'm trying to
figure out which client or OS configuration option changed, so I can
revert it. But I'm not sure what to look for :(
_____________
Costin Caraivan

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Reply | Threaded
Open this post in threaded view
|

Re: Non-interactive SSH connection fails - error: can't open /dev/tty: No such device or address - Host key verification failed

Constantin Caraivan
In reply to this post by Larry Hall (Cygwin)
> '/var/log/sshd.log'.  But it will be empty if nothing noteworthy
> has occurred.  If you want to see more chatter, add a new service entry
> to run sshd with debug flags.  You can grab the details for how to set up
> a sshd service from '/bin/ssh-host-config' but the basics are:
>
> /usr/bin/cygrunsrv -I sshd_debug -d "CYGWIN Debug sshd" -p /usr/sbin/sshd -a
> "-D -d -d -d" -y tcpip -u cyg_server -w <your cyg_server password here>
>
> The three "-d" flags are the important part.  To start this service, use:
>
> /usr/bin/cygrunsrv -S sshd_debug
>
> This will need to be restarted with each connection attempt.  Also, you
> should stop your regular sshd service while running this so they don't
> conflict.
>
> /usr/bin/cygrunsrv -E sshd
>
> Apologies for typos.
>
> --
> Larry

Tried the debug launch, this is the log for a failed connection:
http://pastebin.com/3WyrhdXq
So it looks like the client is closing the connection (I think). It
seems it cannot find /dev/tty, even though it is there and it has the
rights to access it.

What I find very strange is that there's a different behavior from the
command line and when launched from an application. The command is
exactly the same :(
_____________
Costin Caraivan

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Reply | Threaded
Open this post in threaded view
|

Re: Non-interactive SSH connection fails - error: can't open /dev/tty: No such device or address - Host key verification failed

Constantin Caraivan
> Tried the debug launch, this is the log for a failed connection:
> http://pastebin.com/3WyrhdXq
> So it looks like the client is closing the connection (I think). It
> seems it cannot find /dev/tty, even though it is there and it has the
> rights to access it.
>
> What I find very strange is that there's a different behavior from the
> command line and when launched from an application. The command is
> exactly the same :(

I found the root cause. The Jenkins launcher was launched using
SYSTEM. This system user doesn't have a console, and its home folder
is /.
So the public key authentication could not work :(
As always, the logs were pointing in the right direction: /.ssh/id_rsa
type -1 -> notice the missing ~ or /home/myuser :(

Thanks for the help,
_____________
Costin Caraivan

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Reply | Threaded
Open this post in threaded view
|

Re: Non-interactive SSH connection fails - error: can't open /dev/tty: No such device or address - Host key verification failed

wwwild
In reply to this post by Constantin Caraivan
I know this is an old thread, but it helped me and I wanted to offer the workaround devised with the information here:
With some trial and error we found that creating a .ssh folder in the cygwin root (c:\Tools\cygwin64 in this case) and copying the necessary known_hosts and id_rsa files from the user's home (c:\Tools\cygwin64\home\tsstester\.ssh in this case) to the new location (and removed all non-user access via cygwin chmod, unsure if absolutely necessary) resolves the issue.