CSIH SSH setup-script problems on W81-64

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

CSIH SSH setup-script problems on W81-64

PolarStorm
This post has NOT been accepted by the mailing list yet.
Dear Cygwin developers,

I have happily used Cygwin for years, and I'm very impressed by all the
work and improvements that have been done to the Cygwin distribution
lately.

However, recently I tried to install SSH using Cygwin on a Windows 8.1
machine. This was in no way as easy as I hoped it would be. In my search
for solutions to strange behavior and answers to various questions, I
had to dig further into the various scripts used by Cygwin to setup SSH.
While doing this, I've come across several issues, questions and some
bugs.

Since this is my first time posting to this email-list/forum, I better
apologize in advance in case my formatting is not appearing as it should
and does on my side.


There seem to be a few issues in the
cygwin-service-installation-helper.sh script, when used in combination
with the Cygwin OpenSSH installation scripts: ssh-host-config,
ssh-user-config. So here are some suggestions for improvements and
solutions.

(1) Default Windows 8/8.1 password expiration is 42 days, this is not
dealt with, when creating the unpriv_user "sshd" (by default). Thus this
account's password will expire after 42 days from installation. See
below for various solutions. [Use "net accounts" to check system
default.]

(2) Since Windows now tell us that the user account "sshd" has a
password, it would be very interesting to know what it is? Especially
since we were never asked to enter any! [Use "net user sshd" to check.]

(3) The informational messages from the "sshd-host-config" script is
easily overseen by non-expert users. For example, in the text snip:

 *** Info: In particular, for the sshd server all users' .ssh/authorized_keys
 *** Info: files must have appropriate permissions to allow public key
 *** Info: authentication. (Re-)running ssh-user-config for each user will set
 *** Info: these permissions correctly. [Similar restrictions apply, for

Need to clarify:

 (a) What exactly should those permissions be?
 (b) The non-experienced user may miss the fact that "ssh-user-config"
     is different from "ssh-host-config", especially when using the
     expression "(Re-)running". It is apparent from the multitude of
     Cygwin SSH related questions on various Stackoverflow associated forums,
     that the user NEVER run "ssh-user-config" from their wanted Windows
     ssh-enabled accounts. They either never read this text, or they confused
     the two scripts or they simply forgot. Either way we could make the end
     of the text more strong. Perhaps something like:

 ...
 *** Info: The sshd service has been installed under the 'cyg_server'
 *** Info: account.  To start the service now, call `net start sshd' or
 *** Info: `cygrunsrv -S sshd'.  Otherwise, it will start automatically
 *** Info: after the next reboot.

 *** Info: Host configuration finished.

 *** ================================================================
 *** Warning: To properly enable your SSH account you must now login
 *** with the Windows user account for which you want to use SSH.
 *** Then open a Cygwin shell in Administrator mode (right click)
 *** and run the "ssh-user-config" script.
 *** ================================================================

     In either case, it is needed for user accounts which are only
     to be used for SSH access. I.e. they have to have a valid Cygwin
     $HOME, which can be (most simply) obtained by logging into account
     and opening a Cygwin shell for the first time.

 (c) A recent experiment (on W8.1) has just confirmed that running the
     "ssh-user-config" script or first time account login, is not necessary
     for new Windows accounts. After adding user to /etc/passwd, and just
     accessing the new account remotely with SSH opens a bash shell,
     that copies all skeleton files and you're good to go. So the other
     option would be to just leave out that confusing text snip (above).


(4) It would help the user immensely if the script also told the user:

(a) What changes are being (or was) made to the /etc/sshd_config file.
(b) What (Windows) permissions are needed for the "cyg_server", "sshd"
    and SSH enabled Windows user accounts. I.e the correct output of:
    editrights.exe -l -u cyg_server


(5) In addition it is very unclear to the average Cygwin users:

(a) Why the "ssh-host-config" script need to create TWO new
    Windows user accounts?
(b) Why these should not be used for logging into Windows with SSH?
(c) That if they want to use SSH with a password to login to a Windows
    account that is NOT using a password, they need to create a third (!)
    Windows account (that has a password). This is in no way easy to
    understand, even for experts. (And in case you have a solution
    that I have not understood or is not aware of, you should make this
    part of the Cygwin FAQ, or somewhere where people can actually find it.)


(6) Some code peculiarities + possible bugs.

-------------------------------------------
cygwin-service-installation-helper.sh:2932:
-------------------------------------------
csih_call_winsys32 net user "${unpriv_user}" /add /fullname:"${unpriv_user} privsep" \
"/homedir:${dos_var_empty}" /active:no > /dev/null 2>&1 && unpriv_user_in_sam=yes

- Take out "/homedir:" from quotation to match style/aesthetics of rest of the line.
- Make sure the "sshd" password never expires using one of the methods:

(a) By setting the default Windows maximum password age to "unlimited":
        net accounts /maxpwage:unlimited        (or 0-999)
(b) By setting individual user password expiration to "false", using Windows:
        wmic path Win32_UserAccount where Name='sshd' set PasswordExpires=false
(c) By setting individual user password expiration to "false", using Cygwin:
        passwd.exe -e sshd

-------------------------------------------
ssh-host-config:169:
-------------------------------------------
/usr/bin/sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/

- Is never executed, because of a new (?) OpenSSH /etc/sshd_config default setting as:
  "UsePrivilegeSeparation sandbox    # Default for new installations."

- Clarify what "sandbox" does and how it influences Cygwin, if at all?
-------------------------------------------



Other (un-related to this thread) Cygwin issues:

PASSWD: The Cygwin implementation of "passwd" is presenting results
which are "negated", resulting in less clear output. I'm a fond opponent
of using "double negation" in language, and especially as defaults in
computing syntax/context. (Or should I say that I'm a fond proponent of
not using negated expressions when the default or most common
expressions are not positive. :)

For example:

$ passwd.exe -S cyg_server
---------------------------------------
Account disabled           : no
Password not required      : no
User can't change password : no
Password never expires     : yes
Password expired           : no
Latest password change     : Sat Mar  1 23:32:51 2014
...
---------------------------------------

The preferred way of writing this would be:

---------------------------------------
Account is enabled         : yes
Password is required       : yes
Password change is allowed : yes
Password will expire       : no
Password has expired       : no
Latest password change     : Sat Mar  1 23:32:51 2014
...
---------------------------------------



FWIW, this is my system:
-----------------------------------------------------------
OS Name:               Microsoft Windows 8.1
OS Version:            6.3.9600 N/A Build 9600
System Manufacturer:   ASUSTeK COMPUTER INC.
System Model:          X550LB
System Type:           x64-based PC
Processor(s):          1 Processor(s) Installed.
[01]: Intel64 Family 6 Model 69 Stepping 1 GenuineIntel ~2301 Mhz

CYGWIN_NT-6.3 xxxx 1.7.28(0.271/5/3) 2014-02-09 21:06 x86_64 Cygwin
openssh 6.5p1-1
-----------------------------------------------------------

Best regards,
Gene