Windows server refused to start a shell command
Welcome to the VanDyke Software Forums
Join the discussion today!
Every time I log onto a Cisco ASR 9K router using SecureCRT, I get a pop up that says; «The server refused to start a shell.».
It doesn’t interfere withing using the session; I can ignore or «OK» the dialog box.
I’d just like my client to stop asking.
It sounds like you are using your router as a jump host. You can enable Do not request a shell which is located in the Connection / Port Forwarding category of the Session Options dialog.
VanDyke Software
Technical Support
support@vandyke.com
505-332-5730
Thanks for the post. The option Do not request a shell is not enabled by default.
I ran a test, and if I enable the option, a shell is not requested regardless of the type of remote server, and if the option is disabled, a shell request is made.
Would you provide more details about the problem you are seeing or trying to solve?
VanDyke Software
Technical Support
support@vandyke.com
505-332-5730
Sure, we have several Cisco ASR routers running IOS-XR version 4.2.3 and when I connect to any of them using SSH, SecureCRT has a pop-up window that says «The server refused to start a shell.»
I can click «OK» and move on, but it is an annoyance.
IOS, IOS-XE, and NX-OS devices do not exhibit the same behavior.
This is on SecureCRT for OSX version 7.3.1 (build 685).
Thanks for the update.
How does the Cisco ASR router problem relate to the ASR9K?
VanDyke Software
Technical Support
support@vandyke.com
505-332-5730
They are the same in my situation, I just omitted the «9K» part when I said «ASR».
I only have ASR9Ks to test with; I do not have any ASR1Ks. However, some 10G switches I run do have IOS-XE installed and they act fine.
Initially you mentioned:
| If I uncheck the «Do not request a shell» box under Connection > Port Forwarding, no shell is created on the ASR9K and I cannot manage it. |
| Sure, we have several Cisco ASR routers running IOS-XR version 4.2.3 and when I connect to any of them using SSH, SecureCRT has a pop-up window that says «The server refused to start a shell.» |
It seems like these two statements contradict each other.
If the device won’t allow a shell, I am not sure what we can do in SecureCRT to make it provide a shell when connecting.
Would you provide more details about the problem, how it relates to SecureCRT and your goal?
VanDyke Software
Technical Support
support@vandyke.com
505-332-5730
Here are the last few lines from a trace where I get the pop-up error and I can manage the router:
And here are the last few lines where I checked «Do not request a shell» which prevents the pop-up error however I cannot manage the router
Thanks for clarifying the issue.
The first failure in the first case I see is the «agent forwarding request». Perhaps this failure is confusing the server such that it is failing the subsequent request for a shell, and then sending a «success» to some request unknown to SecureCRT.
If you disable Enable OpenSSH agent forwarding for the session you are using to connect, do you get better results?
The option is located in the Connection / SSH2 / Advanced category of the Session Options dialog.
Server refused to start a shell/command in SCP
Server refused to start a shell/command in SCP
Can you please let me know if anything needs to be added to mod_sftp configuration to support winSCP. I can able to connect sftp using WinSCP, but could not connect via scp using winSCP.
I tried the following things in proftpd.conf file,
SFTPClientMatch «.*WinSCP.*» sftpProtocolVersion 4
SFTPClientMatch «.*WinSCP.*» channelWindowSize 64KB
SFTPClientMatch «.*WinSCP.*» channelPacketSize 16KB
i am getting the following error, while connecting to proftpd 1.3.3/mod_sftp server.
Oct 10 19:39:22 [32606] : SSH2 packet len = 28 bytes
Oct 10 19:39:22 [32606] : SSH2 packet padding len = 10 bytes
Oct 10 19:39:22 [32606] : SSH2 packet payload len = 17 bytes
Oct 10 19:39:22 [32606] : SSH2 packet MAC len = 20 bytes
Oct 10 19:39:22 [32606] : received SSH_MSG_SERVICE_REQUEST (5) packet
Oct 10 19:39:22 [32606] : ‘ssh-userauth’ service requested
Oct 10 19:39:22 [32606] : sent SSH_MSG_SERVICE_ACCEPT (6) packet
Oct 10 19:39:22 [32606] : SSH2 packet len = 44 bytes
Oct 10 19:39:22 [32606] : SSH2 packet padding len = 10 bytes
Oct 10 19:39:22 [32606] : SSH2 packet payload len = 33 bytes
Oct 10 19:39:22 [32606] : SSH2 packet MAC len = 20 bytes
Oct 10 19:39:22 [32606] : received SSH_MSG_USER_AUTH_REQUEST (50) packet
Oct 10 19:39:22 [32606] : auth requested for user ‘aa’, service ‘ssh-connection’, using method ‘none’
Oct 10 19:39:22 [32606] : no SFTPAuthorizedUserKeys configured, not offering ‘publickey’ authentication
Oct 10 19:39:22 [32606] : no SFTPAuthorizedHostKeys configured, not offering ‘hostbased’ authentication
Oct 10 19:39:22 [32606] : offering authentication methods: keyboard-interactive,password
Oct 10 19:39:22 [32606] : sent SSH_MSG_USER_AUTH_FAILURE (51) packet
Oct 10 19:39:22 [32606] : SSH2 packet len = 76 bytes
Oct 10 19:39:22 [32606] : SSH2 packet padding len = 18 bytes
Oct 10 19:39:22 [32606] : SSH2 packet payload len = 57 bytes
Oct 10 19:39:22 [32606] : SSH2 packet MAC len = 20 bytes
Oct 10 19:39:22 [32606] : received SSH_MSG_USER_AUTH_REQUEST (50) packet
Oct 10 19:39:22 [32606] : auth requested for user ‘aa’, service ‘ssh-connection’, using method ‘keyboard-interactive’
Oct 10 19:39:22 [32606] : trying kbdint driver ‘pam’ for user ‘aa’
Oct 10 19:39:22 [32606] : setting PAM_TTY to ‘/dev/ftpd32606’
Oct 10 19:39:22 [32606] : handling 1 PAM message
Oct 10 19:39:22 [32606] : sending USER_AUTH_INFO_REQ message to client
Oct 10 19:39:22 [32606] : sent SSH_MSG_USER_AUTH_PASSWD (60) packet
Oct 10 19:39:22 [32606] : SSH2 packet len = 28 bytes
Oct 10 19:39:22 [32606] : SSH2 packet padding len = 16 bytes
Oct 10 19:39:22 [32606] : SSH2 packet payload len = 11 bytes
Oct 10 19:39:22 [32606] : SSH2 packet MAC len = 20 bytes
Oct 10 19:39:22 [32606] : received SSH_MSG_USER_AUTH_INFO_RESP (61) packet
Oct 10 19:39:22 [32606] : reading USER_AUTH_INFO_RESP message from client
Oct 10 19:39:22 [32606] : received PAM_PROMPT_ECHO_OFF message ‘Password: ‘, responding with text
Oct 11 02:39:22 [32606] : sent SSH_MSG_USER_AUTH_SUCCESS (52) packet
Oct 11 02:39:22 [32606] : SSH2 packet len = 220 bytes
Oct 11 02:39:22 [32606] : SSH2 packet padding len = 6 bytes
Oct 11 02:39:22 [32606] : SSH2 packet payload len = 213 bytes
Oct 11 02:39:22 [32606] : SSH2 packet MAC len = 20 bytes
Oct 11 02:39:22 [32606] : received SSH_MSG_IGNORE (2) packet
Oct 11 02:39:22 [32606] : SSH2 packet len = 44 bytes
Oct 11 02:39:22 [32606] : SSH2 packet padding len = 19 bytes
Oct 11 02:39:22 [32606] : SSH2 packet payload len = 24 bytes
Oct 11 02:39:22 [32606] : SSH2 packet MAC len = 20 bytes
Oct 11 02:39:22 [32606] : received SSH_MSG_CHANNEL_OPEN (90) packet
Oct 11 02:39:22 [32606] : open of ‘session’ channel using remote ID 256 requested: initial client window len = 65536 bytes, client max packet size = 16384 bytes
Oct 11 02:39:22 [32606] : confirm open channel remote ID 256, local ID 0: initial server window len = 65536 bytes, server max packet size = 16384 bytes
Oct 11 02:39:22 [32606] : sent SSH_MSG_CHANNEL_OPEN_CONFIRMATION (91) packet
Oct 11 02:39:22 [32606] : SSH2 packet len = 28 bytes
Oct 11 02:39:22 [32606] : SSH2 packet padding len = 12 bytes
Oct 11 02:39:22 [32606] : SSH2 packet payload len = 15 bytes
Oct 11 02:39:22 [32606] : SSH2 packet MAC len = 20 bytes
Oct 11 02:39:22 [32606] : received SSH_MSG_CHANNEL_REQUEST (98) packet
Oct 11 02:39:22 [32606] : received ‘shell’ request for channel ID 0, want reply = true
Oct 11 02:39:22 [32606] : sent SSH_MSG_CHANNEL_FAILURE (100) packet
Oct 11 02:39:22 [32606] : destroying unclosed channel ID 0 (0 bytes pending)
Connection refused on Windows Server 2012 R2 #864
Comments
tarmizee commented Aug 29, 2017
I am setting up OpenSSH on Windows Server 2012 R2. The version of the OpenSSH that I am using:
OpenSSH_7.5p1, LibreSSL 2.5.3
It seems when i try to SSH to target server using cmd.exe, putty or winscp i keep getting error «Error : network error: Connection to “target server”refused»
Here is my configuration file
[sshd_config]
sshd_config.txt
Here is my error from sshd.log:
sshd.txt
I have tried the following step to fix the issue but failed to resolve the issue:
Appreciate some guidance to me to fix the issue.
Thanks and Best Regards
Tarmizee
The text was updated successfully, but these errors were encountered:
bagajjal commented Aug 29, 2017
Your host keys doesn’t have right permissions. Register host keys with the ssh-agent as mentioned in the installation page.
bagajjal commented Aug 29, 2017
tarmizee commented Aug 29, 2017
I restarted the ssh-agent and sshd services. It seems the same error still appear. Attached is the latest error.
sshd.txt
Let me know what i should check next.
Thanks and Best Regards
Tarmizee
tarmizee commented Aug 29, 2017
@bagajjal
Apologize, attached is the latest error log:
sshd_1529.txt
bagajjal commented Aug 29, 2017
FYI, sshd expects the private host keys files to be accessible for only «sshd», «system» and «administrators group (not administrator account)».. If you open the advanced security setting it should look like this,
tarmizee commented Aug 30, 2017
Thanks for your further support and advice regarding the error will keep warning.
I need further advice regarding connection refused. I did further test using putty, cmd and WinSCP :
i am not sure if there is further setting that I need to add to the openssh or the client tool it self.
Thanks and Best Regards
Tarmizee
bagajjal commented Aug 30, 2017
Please share the sshd.log and sshd_config.
tarmizee commented Aug 30, 2017
Attached is the sshd.log and sshd_config
sshd_config.txt
sshd.zip
Thanks and Best Regards
Tarmizee
bagajjal commented Aug 30, 2017
Looks like sshd is not getting the hostkey from the ssh-agent.
4596 08:52:54:525 fatal: sshd_hostkey_sign: ssh_agent_sign failed: agent refused operation
Do you have ssh-agent running?
else, net start ssh-agent from elevated cmd.exe.
Please move the private host keys to a different directory so that the error log will be minimal and it is easy to debug..
tarmizee commented Aug 30, 2017
Yes, the ssh-agent is running. I performed step a) to c) and received the following message:
The agent has no identities.
Let me know other checking that you require me to perform.
Thanks and Best Regards
Tarmizee
bagajjal commented Aug 30, 2017 •
This confirms that host keys are not registered with the ssh-agent..
Move the private host key files to the different directory..
Leave the public host key files (.pub extension) in the same directory as sshd.
tarmizee commented Aug 30, 2017
Thanks for the step of investigation
I performed the step 1 and 2. It seems the result at step 2 return with «The agent has no identities.»
ssh_add_error.docx
Thanks and Best Regards
Tarmizee
bagajjal commented Aug 30, 2017 •
My bad, ssh-add.exe didn’t register with the ssh-agent because of host-key permission issue.
After running this try to register using ssh-add.exe to confirm the permissions are fixed properly..
If you still have issues then fix manually.. Advanced security options (for your private host key should look like this,
a) right click private host key file.
b) security tab
c) Advanced button
d) permissions tab
e) Make sure Owner field is set to «system» or «administrators group»
If you still have issues, then please send the screen shot of the advanced security options that looks like the one above..
tarmizee commented Aug 30, 2017
Thanks for your further support.
I performed FixHostFilePermissions.ps1. Attached is the screenshot. I am not sure whether the error message that appeared in the shell can be ignored or not. Please advice
fixhostfilepermission.docx
Thanks and Best Regards
Tarmizee
bagajjal commented Aug 30, 2017
Permissions were not set properly by the script.
Please set the permissions manually as described in my previous reply. The owner must be one of these (system, sshd, administrators group)
tarmizee commented Aug 30, 2017
Thanks for your support. I performed reinstallation using domain administrator user and the issue is resolved. It seems using domain administrator to do installation provided correct permission to those key.
Error (The connection to the specified remote host was refused) when you try to start Exchange Management Shell or Exchange Management Console
Original KB number: В 2027064
Symptoms
When you try to start Exchange Management Shell (EMS) or Exchange Management Console (EMC) on a computer that is running Microsoft Exchange Server 2010, Microsoft Exchange Server 2013, or Microsoft Exchange Server 2016, you receive the following error message:
The connection to the specified remote host was refused. Verify that the WS-Management service is running on the remote host and configured to listen for requests on the correct port and HTTP URL. For more information, see the about_Remote_Troubleshooting Help topic.
Cause
ThisВ problem occurs becauseВ one or more of the following conditionsВ are true:
Resolution
To resolve this problem, use one of the following methods:
Make sure that the MSExchangePowerShellAppPool application pool is running. IfВ the pool is running, try to recycle it. Then,В check for errors or warnings in the event logs.
Make sure that the user who is trying to connectВ has Remote PowerShell Enabled status.В ToВ determineВ whether a user is enabled for Remote PowerShell, start Exchange Management Shell by using an account that has been enabled, and then run the following query:
This queryВ returns a response of True or False. If the responseВ is False, the user is not enabled for Remote PowerShell. To enable the user, run the following command:
Make sure that WinRM is configured correctly on the server. To do this, follow these steps:
Run WinRM QuickConfig. To do this, click Start, type WinRM QuickConfig in the Start Search box, and then press ENTER.
Make sure that both tests pass and that no actions are required. If any actions are required, click Yes В in the prompt window to allow the WinRM configuration changes to be made.
Click Start, type cmd in the Start Search box, and then press ENTER. In the Command Prompt window,В type WinRM enumerate winrm/config/listener at the command prompt, and then press ENTER.
Make sure that a listener existsВ for the HTTP protocol on port 5985, and thatВ the listener is listening on all addresses.
How to enable Windows Remote Shell
This article helps you enable Windows Remote Shell.
Original product version: В Windows Server 2003
Original KB number: В 555966
This article was written by Yuval Sinay, Microsoft MVP.
To enable Windows Remote Shell, you need to deploy the server-side and client-side settings:
Server Side
The server definition in the article describes a Windows host that gets into remote management shell.
Log into the Windows console.
Optional (For Windows Vista serves as remote server): Start the service «Windows Remote Management » and set it for auto start after reboot.
Write the command prompt WinRM quickconfig and press the Enter button.
The following output should appear:
After pressing the y button, the following output should appear:
We recommend that you change the default settings via the winrm.cmd command (Like enable HTTPS support etc.).
Windows Remote Shell using SOAP. Some firewalls may block SOAP traffic. For more information, see the vendor documentation.
Client Side
Example: To review remote file system, write the following command:
In Windows Workgroup environment, there is a need to add a trust for the server that the client initiate a connection to it by using the command winrm set winrm/config/client @
Community Solutions Content Disclaimer
MICROSOFT CORPORATION AND/OR ITS RESPECTIVE SUPPLIERS MAKE NO REPRESENTATIONS ABOUT THE SUITABILITY, RELIABILITY, OR ACCURACY OF THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN. ALL SUCH INFORMATION AND RELATED GRAPHICS ARE PROVIDED «AS IS» WITHOUT WARRANTY OF ANY KIND. MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS INFORMATION AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, WORKMANLIKE EFFORT, TITLE AND NON-INFRINGEMENT. YOU SPECIFICALLY AGREE THAT IN NO EVENT SHALL MICROSOFT AND/OR ITS SUPPLIERS BE LIABLE FOR ANY DIRECT, INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF USE, DATA OR PROFITS, ARISING OUT OF OR IN ANY WAY CONNECTED WITH THE USE OF OR INABILITY TO USE THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN, WHETHER BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY OR OTHERWISE, EVEN IF MICROSOFT OR ANY OF ITS SUPPLIERS HAS BEEN ADVISED OF THE POSSIBILITY OF DAMAGES.