Silently configure sshd fails via system account

classic Classic list List threaded Threaded
27 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Silently configure sshd fails via system account

Paul Griffith
Hi,

I am using a software package called WPKG (wpkg.org) to silently deploy Cygwin and then configure SSHD. The Cygwin installation works like a charm. Configuring sshd is another story. If I run my script from a admin command prompt, I am to setup sshd. If I run that same script from WPKG, it fails. The only difference is that the WPKG agent runs as the SYSTEM user. I assume SCCM (Microsoft System Center Configuration Manager) users would have the same issue since their agent also run as SYSTEM.

Any ideas other than pulling apart /usr/bin/ssh-host-config  and trying to do this manually myself ??

Here is some of the debugging I captured. Notice how the permissions at [0] and [1] don't match, I can't explain that one. Updating Cygwin doesn't solve my problem.

Windows 7 Enterprise x64 SP 1
2GB RAM
VirtualBox 4.3.6

======
before running ssh-host-config (wpkg)
touch /var/log/sshd.log
chmod 700 /var/empty
chown SYSTEM /var/empty
ls -lad /var/empty
[0] drwx------+ 1 SYSTEM Administrators 0 Feb 21 13:07 /var/empty

/usr/bin/ssh-host-config --yes --cygwin ntsec --user cyg_server --pwd blah

*** Info: Generating /etc/ssh_host_key
*** Info: Generating /etc/ssh_host_rsa_key
*** Info: Generating /etc/ssh_host_dsa_key
*** Info: Generating /etc/ssh_host_ecdsa_key
*** Info: Creating default /etc/ssh_config file
*** Info: Creating default /etc/sshd_config file
*** Info: Privilege separation is set to yes by default since OpenSSH 3.3.
*** Info: However, this requires a non-privileged account called 'sshd'.
*** Info: For more info on privilege separation read /usr/share/doc/openssh/README.privsep.
*** Query: Should privilege separation be used? (yes/no) yes
*** Warning: The owner and the Administrators need
*** Warning: to have r.x permission to /var/empty.
*** Warning: Here are the current permissions and ACLS:
[1] *** Warning:     drwxr-xr-x+ 1 SYSTEM Administrators 0 Feb 21 13:07 /var/empty
*** Warning:     # file: /var/empty
*** Warning:     # owner: SYSTEM
*** Warning:     # group: Administrators
*** Warning:     user::rwx
*** Warning:     group::r-x
*** Warning:     mask:rwx
*** Warning:     other:r-x
*** Warning:     default:user::rwx
*** Warning:     default:group::r-x
*** Warning:     default:other:r-x
*** Warning:     *** Warning: Please change the user and/or group ownership, *** Warning: permissions, or ACLs of /var/empty.

*** ERROR: Problem with /var/empty directory. Exiting.
----

I call my script like the following:
start /wait %CYGWIN_ROOT%\bin\bash.exe --login -i /cygdrive/c/windows/temp/config-sshd-win7.sh "%cyg_server_passwd%"


config-sshd-win7.sh script:
------snip------
#/bin/sh

echo running ssh-host-config

if [ -f /cygdrive/c/netinst/logs/ssh-host-config.log ]; then
        rm -f /cygdrive/c/netinst/logs/ssh-host-config.log
fi


echo before ssh-host-config > /cygdrive/c/netinst/logs/ssh-host-config.log

#setup permissions and owership of files
echo setting up permissions

echo touch /var/log/sshd.log >> /cygdrive/c/netinst/logs/ssh-host-config.log
touch /var/log/sshd.log >> /cygdrive/c/netinst/logs/ssh-host-config.log

if [ ! -d /var/empty ]; then  
   mkdir /var/empty
fi

#echo chown system /var/log/sshd.log /var/empty /etc/ssh_h* >> /cygdrive/c/netinst/logs/ssh-host-config.log
chown system /var/log/sshd.log /var/empty /etc/ssh_h* >> /cygdrive/c/netinst/logs/ssh-host-config.log

#echo chmod 700 /var/empty >> /cygdrive/c/netinst/logs/ssh-host-config.log
chmod 700 /var/empty >> /cygdrive/c/netinst/logs/ssh-host-config.log

echo /usr/bin/ssh-host-config --yes --cygwin ntsec --user cyg_server --pwd   >> /cygdrive/c/netinst/logs/ssh-host-config.log
/usr/bin/ssh-host-config --yes --cygwin ntsec --user cyg_server --pwd "$1" >> /cygdrive/c/netinst/logs/ssh-host-config.log

echo after ssh-host-config >> /cygdrive/c/netinst/logs/ssh-host-config.log
echo ls -lad /var/empty >> /cygdrive/c/netinst/logs/ssh-host-config.log
ls -lad /var/empty >> /cygdrive/c/netinst/logs/ssh-host-config.log

#Prohibits a user or group from logging on locally at the keyboard.
editrights -a SeDenyRemoteInteractiveLogonRight -u cyg_server

echo listing services: cygrunsrv -L >> /cygdrive/c/netinst/logs/ssh-host-config.log
cygrunsrv -L >> /cygdrive/c/netinst/logs/ssh-host-config.log

echo starting sshd: cygrunsrv -S sshd >> /cygdrive/c/netinst/logs/ssh-host-config.log
cygrunsrv -S sshd


echo cd "/home/Administrator" >> /cygdrive/c/netinst/logs/ssh-host-config.log
chmod 750 /home/Administrator
cd /home/Administrator

echo mkdir .ssh >> /cygdrive/c/netinst/logs/ssh-host-config.log
mkdir .ssh

echo chmod 700 .ssh >> /cygdrive/c/netinst/logs/ssh-host-config.log
chmod 700 .ssh
ls -lad .ssh >> /cygdrive/c/netinst/logs/ssh-host-config.log

echo cp //xxxxx/xxx/site/ssh/authorized_keys .ssh/authorized_keys >> /cygdrive/c/netinst/logs/ssh-host-config.log
cp //xxxx/xxxx/site/ssh/authorized_keys .ssh/authorized_keys >> /cygdrive/c/netinst/logs/ssh-host-config.log

echo ls -l .ssh/authorized_keys >> /cygdrive/c/netinst/logs/ssh-host-config.log
ls -l .ssh/authorized_keys >> /cygdrive/c/netinst/logs/ssh-host-config.log

echo chmod 644 .ssh/authorized_keys >> /cygdrive/c/netinst/logs/ssh-host-config.log
chmod 644 .ssh/authorized_keys
ls -l .ssh/authorized_keys >> /cygdrive/c/netinst/logs/ssh-host-config.log

mkpasswd -l >> /etc/passwd
mkgroup -l >> /etc/group
-------snip------

Thank You
Paul



--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Reply | Threaded
Open this post in threaded view
|

Re: Silently configure sshd fails via system account

Larry Hall (Cygwin)
On 2/21/2014 3:48 PM, Paul Griffith wrote:

> Hi,
>
> I am using a software package called WPKG (wpkg.org) to silently deploy
> Cygwin and then configure SSHD. The Cygwin installation works like a
> charm. Configuring sshd is another story. If I run my script from a admin
> command prompt, I am to setup sshd. If I run that same script from WPKG,
> it fails. The only difference is that the WPKG agent runs as the SYSTEM
> user. I assume SCCM (Microsoft System Center Configuration Manager) users
> would have the same issue since their agent also run as SYSTEM.
>
> Any ideas other than pulling apart /usr/bin/ssh-host-config  and trying
> to do this manually myself ??

Configuring sshd can be tricky.  There are plenty of failure paths so it's
best not to step off known paths to success unless you're willing to blaze
a new successful trail.  With that in mind, why not run WPKG under an
account that is known to successfully install Cygwin in the normal way?
This may be close enough to a known successful path to just work.

--
Larry

_____________________________________________________________________

A: Yes.
 > Q: Are you sure?
 >> A: Because it reverses the logical flow of conversation.
 >>> Q: Why is top posting annoying in email?

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Reply | Threaded
Open this post in threaded view
|

Re: Silently configure sshd fails via system account

Paul Griffith
On 02/21/2014 03:58 PM, Larry Hall (Cygwin) wrote:

> On 2/21/2014 3:48 PM, Paul Griffith wrote:
>> Hi,
>>
>> I am using a software package called WPKG (wpkg.org) to silently deploy
>> Cygwin and then configure SSHD. The Cygwin installation works like a
>> charm. Configuring sshd is another story. If I run my script from a admin
>> command prompt, I am to setup sshd. If I run that same script from WPKG,
>> it fails. The only difference is that the WPKG agent runs as the SYSTEM
>> user. I assume SCCM (Microsoft System Center Configuration Manager) users
>> would have the same issue since their agent also run as SYSTEM.
>>
>> Any ideas other than pulling apart /usr/bin/ssh-host-config  and trying
>> to do this manually myself ??
>
> Configuring sshd can be tricky.  There are plenty of failure paths so it's
> best not to step off known paths to success unless you're willing to blaze
> a new successful trail.  With that in mind, why not run WPKG under an
> account that is known to successfully install Cygwin in the normal way?
> This may be close enough to a known successful path to just work.
>

Thanks Larry,

   I have a few options to try. I post them to help others, if I achieve some measure of success.

Best Regards,
Paul


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Reply | Threaded
Open this post in threaded view
|

Re: Silently configure sshd fails via system account

Lord Laraby
I am also having serious issues with sshd-host-config. I ran it right
from the command line, from the built-in administrator account. It
failed to start with no message in the Event Log. But, the
/var/log/sshd.log said none of the keys were properly secured and
refused them all. I chmod'ed them all, tried again, failed again. This
time  it was that /var/empty was wrong. I had just gotten done
installing cygserver, so it was no surprise that cygserver (who had
permission to /var/empty before sshd-host-config) no longer had any
permissions. It was already started, however. So, I check and it was
owned by 'sshd' and group 'Administrator'.

The problem was that the config program never set the required
permissions. The message was "/var/empty must be owned by root and not
group or world-writable." Nice, there is no 'root', so I renamed
Administrator to root. Still no go. So, I changed the permissions to
be very strict (700). You'd think that would fix it?

Nope. So, I thought maybe it wants group 'root', too. So, I renamed
Administrator in /etc/groups to root. Still, not working and same
message.

I then was getting all kinds of weird messages from 'ls' about
group-id conflicts. It's getting worse, I thought. Short of removing
everything and starting over, I rebuilt /etc/passd and /etc/group with
mkpasswd and mkgroup. Then, I changed the owners to sshd again and
group Administrators with mode 600. It fails again.

I thought, "maybe I need to use elevated cygwin, rather than
Administrator account." So, I tried all those steps with that account.
Locked myself out of the /var/empty directory so I had to take
ownership and start all over.

I cannot understand how to do what it wants in order to start. Any
help would be appreciated. I can send cygcheck.out if desired. This is
Windows 8.1 ver 6.3 -- 64-bit. Cygwin (64-bit) is installed in a USB
hard drive K:\cygwin and I recently did an update by running setup and
not selecting anything new. I have run sshd successfully on Win7
computers and older. This is a new one for me.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Reply | Threaded
Open this post in threaded view
|

Re: Silently configure sshd fails via system account

Henry S. Thompson
Lord Laraby writes:

> I cannot understand how to do what it wants in order to start. Any
> help would be appreciated. I can send cygcheck.out if desired. This is
> Windows 8.1 ver 6.3 -- 64-bit. Cygwin (64-bit) is installed in a USB
> hard drive K:\cygwin and I recently did an update by running setup and
> not selecting anything new. I have run sshd successfully on Win7
> computers and older. This is a new one for me.

Same platform as you.  Here are my (possibly relevant) data for
comparison:

> ls -ld /var/empty
drwxr-xr-x+ 1 cyg_server root 0 Jan  3 11:36 /var/empty/
> egrep cyg_server /etc/passwd
cyg_server:unused:1003:513:Privileged
server,U-luther\cyg_server,S-1-5-21-3264347833-3381411623-2398912269-1003:/var/empty:/bin/bash
> egrep root /etc/group
root:S-1-5-32-544:0:
> egrep S-1-5-32-544 /etc/passwd
Administrators:*:544:544:,S-1-5-32-544::

ht
--
       Henry S. Thompson, School of Informatics, University of Edinburgh
      10 Crichton Street, Edinburgh EH8 9AB, SCOTLAND -- (44) 131 650-4440
                Fax: (44) 131 650-4587, e-mail: [hidden email]
                       URL: http://www.ltg.ed.ac.uk/~ht/
 [mail from me _always_ has a .sig like this -- mail without it is forged spam]

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Reply | Threaded
Open this post in threaded view
|

Re: Silently configure sshd fails via system account

Lord Laraby
That's interesting. sshd-host-config gave me only sshd as a privileged
user name, cyg_server is already taken by a non-prvileged user
connected to the cygserver service.
Also, at no time does mkgroup create a group called root. I tried
that, but it screwed everything up. Of course, I used Administrators
actual group 513, not 544. I will fiddle with /etc/group and see what
I can come up with.
Ad far as the user name, if it requires cyg_server (not sshd), then I
have a serious issue with the other cygwin install as a service tool,
"cygserver."
The permissions on /var/empty failed everytime. I tried 755, 744, 711,
700, 655, 644, 611. and even 600. No dice.
This is the var/empty listing:
master@primaryserver ~
$ ls -ld /var/empty
drw-------+ 1 Administrators None 0 Mar 17 13:52 /var/empty

I also tried this:
master@primaryserver ~
$ ls -ld /var/empty
drw-------+ 1 sshd None 0 Mar 17 13:52 /var/empty
master@primaryserver ~
$ cygrunsrv -S sshd
cygrunsrv: Error starting a service: QueryServiceStatus:  Win32 error 1062:
The service has not been started.


On Mon, Mar 17, 2014 at 5:56 PM, Henry S. Thompson <[hidden email]> wrote:

> Lord Laraby writes:
>
>> I cannot understand how to do what it wants in order to start. Any
>> help would be appreciated. I can send cygcheck.out if desired. This is
>> Windows 8.1 ver 6.3 -- 64-bit. Cygwin (64-bit) is installed in a USB
>> hard drive K:\cygwin and I recently did an update by running setup and
>> not selecting anything new. I have run sshd successfully on Win7
>> computers and older. This is a new one for me.
>
> Same platform as you.  Here are my (possibly relevant) data for
> comparison:
>
>> ls -ld /var/empty
> drwxr-xr-x+ 1 cyg_server root 0 Jan  3 11:36 /var/empty/
>> egrep cyg_server /etc/passwd
> cyg_server:unused:1003:513:Privileged
> server,U-luther\cyg_server,S-1-5-21-3264347833-3381411623-2398912269-1003:/var/empty:/bin/bash
>> egrep root /etc/group
> root:S-1-5-32-544:0:
>> egrep S-1-5-32-544 /etc/passwd
> Administrators:*:544:544:,S-1-5-32-544::
>
> ht
> --
>        Henry S. Thompson, School of Informatics, University of Edinburgh
>       10 Crichton Street, Edinburgh EH8 9AB, SCOTLAND -- (44) 131 650-4440
>                 Fax: (44) 131 650-4587, e-mail: [hidden email]
>                        URL: http://www.ltg.ed.ac.uk/~ht/
>  [mail from me _always_ has a .sig like this -- mail without it is forged spam]
>
> --
> Problem reports:       http://cygwin.com/problems.html
> FAQ:                   http://cygwin.com/faq/
> Documentation:         http://cygwin.com/docs.html
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Reply | Threaded
Open this post in threaded view
|

Re: Silently configure sshd fails via system account

Lord Laraby
Oh, and sshd's entry is etc/passwd:
sshd:unused:1008:513:sshd
privsep,U-primaryserver\sshd,S-1-5-21-3985440655-1503118989-471546470-1008:/cygdrive/k/Cygwin/var/empty:/bin/bash
The service control manager says sshd is the user and the password is
the one I gave it. There error in sshd.log is:

/var/empty must be owned by root and not group or world-writable.
/var/empty must be owned by root and not group or world-writable.
... about 12 more lines like this ...
/var/empty must be owned by root and not group or world-writable.
/var/empty must be owned by root and not group or world-writable.

The above represents the many attempts to give /var/empy the proper
permissions. Believe me, I've linux for years and I'm a software
engineer. If this has me stumped, then I need to turn in my keys and
quit the computer world.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Reply | Threaded
Open this post in threaded view
|

Re: Silently configure sshd fails via system account

Lord Laraby
Followup. I changed everything permissions on /var/empty, group name,
everything now matches your setup (except user name and RID). Still
fails with the same message.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Reply | Threaded
Open this post in threaded view
|

Re: Silently configure sshd fails via system account

Lord Laraby
Okay, I figured out the whole issue. The script suggested
non-privleged user sshd as the service user. I allowed that and the
user was created. However the issues the script messed up are:
1) The account was never activated - "net user sshd /active:yes" had
to be run at the command line.
2) All of the keys had permissions given to user cyg_server (which is
actually another service with different needs).
3) the /var/empty file ownership was changed to sshd (stolen from
cyg_server which also had that assigned home directory.) So, that was
correct but wrong.
4) The /var/log/sshd.log ownership was given to cyg_server (who does
not write to that log.) the cygserver.log is owned by SYSTEM!!! I do
not know why.
5) Permission modes were wrong on every file.

These were all setup by the cygwin script, all I did was answer 'yes'
to each question and provide sshd a password (twice).

This might warrant a check by the maintainer.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Reply | Threaded
Open this post in threaded view
|

Re: Silently configure sshd fails via system account

Henry S. Thompson
In reply to this post by Lord Laraby
Lord Laraby writes:

> That's interesting. sshd-host-config gave me only sshd as a privileged
> user name, cyg_server is already taken by a non-prvileged user
> connected to the cygserver service.
> Also, at no time does mkgroup create a group called root.

That suggests an earlier (Cygwin-install-time) error, doesn't it?

I should have said I did exactly _no_ group/permission by-hand
fiddling to get the setup I sent.  All happened auto-magically as a
result of basic install.  Looking at my download area, I see I
installed cygwin, cygrunsrv and openssh all as part of my initial
install.  I can't immediately detect any sign of what initialisations
ran in what order -- /etc/sshd_config was built about an hour after
the downloads. . .

ht
--
       Henry S. Thompson, School of Informatics, University of Edinburgh
      10 Crichton Street, Edinburgh EH8 9AB, SCOTLAND -- (44) 131 650-4440
                Fax: (44) 131 650-4587, e-mail: [hidden email]
                       URL: http://www.ltg.ed.ac.uk/~ht/
 [mail from me _always_ has a .sig like this -- mail without it is forged spam]

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Reply | Threaded
Open this post in threaded view
|

Re: Silently configure sshd fails via system account

Lord Laraby
In reply to this post by Lord Laraby
Oh and I forgot the most intriguing gotcha. After creating the sshd
user for me (I went to service manager and discovered this) the user
assigned to the sshd server was actually cyg_server (not sshd)!!!!!
After changing all of those things the service started.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Reply | Threaded
Open this post in threaded view
|

Re: Silently configure sshd fails via system account

Lord Laraby
In reply to this post by Henry S. Thompson
On Mon, Mar 17, 2014 at 7:22 PM, Henry S. Thompson  wrote:
> I should have said I did exactly _no_ group/permission by-hand
> fiddling to get the setup I sent.  All happened auto-magically as a
> result of basic install.  Looking at my download area, I see I
> installed cygwin, cygrunsrv and openssh all as part of my initial
> install.  I can't immediately detect any sign of what initialisations
> ran in what order -- /etc/sshd_config was built about an hour after
> the downloads. . .
>
> ht

I should have said, I've had those tools installed with my original
install of cygwin, but I just never activated them until today. As far
as creating a group "root", I have never seen cygwin do that
automagically. New thing?

By the way, see my previous post about what I had to do to fix the
setup the script made for me.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Reply | Threaded
Open this post in threaded view
|

Re: Silently configure sshd fails via system account

Larry Hall (Cygwin)
In reply to this post by Henry S. Thompson
On 3/17/2014 7:22 PM, Henry S. Thompson wrote:

> Lord Laraby writes:
>
>> That's interesting. sshd-host-config gave me only sshd as a privileged
>> user name, cyg_server is already taken by a non-prvileged user
>> connected to the cygserver service.
>> Also, at no time does mkgroup create a group called root.
>
> That suggests an earlier (Cygwin-install-time) error, doesn't it?
>
> I should have said I did exactly _no_ group/permission by-hand
> fiddling to get the setup I sent.  All happened auto-magically as a
> result of basic install.  Looking at my download area, I see I
> installed cygwin, cygrunsrv and openssh all as part of my initial
> install.  I can't immediately detect any sign of what initialisations
> ran in what order -- /etc/sshd_config was built about an hour after
> the downloads. . .

Right.  '/etc/sshd_config' is built by 'ssh-host-config'.  It will create
the 'sshd' user for those requesting privilege separation and 'cyg-server'
as the privileged user to run the 'sshd' service under.  All this is done
as part of the 'ssh-host-config' script.  If this script isn't run, then
obviously the 'sshd' service won't start.  That's not say that it will
always just start when 'ssh-host-config' is run.  But that's the intent
and the blueprint for debugging problems.



--
Larry

_____________________________________________________________________

A: Yes.
 > Q: Are you sure?
 >> A: Because it reverses the logical flow of conversation.
 >>> Q: Why is top posting annoying in email?

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Reply | Threaded
Open this post in threaded view
|

Re: Silently configure sshd fails via system account

Larry Hall (Cygwin)
In reply to this post by Lord Laraby
On 3/17/2014 7:28 PM, Lord Laraby wrote:

> On Mon, Mar 17, 2014 at 7:22 PM, Henry S. Thompson  wrote:
>> I should have said I did exactly _no_ group/permission by-hand
>> fiddling to get the setup I sent.  All happened auto-magically as a
>> result of basic install.  Looking at my download area, I see I
>> installed cygwin, cygrunsrv and openssh all as part of my initial
>> install.  I can't immediately detect any sign of what initialisations
>> ran in what order -- /etc/sshd_config was built about an hour after
>> the downloads. . .
>>
>> ht
>
> I should have said, I've had those tools installed with my original
> install of cygwin, but I just never activated them until today. As far
> as creating a group "root", I have never seen cygwin do that
> automagically. New thing?

No.  That's a message from the OpenSSH source that really isn't right
for Cygwin.  When you see 'root', think the user the 'sshd' server
runs under (i.e. 'cyg-server' if the default is used) for Cygwin.

--
Larry

_____________________________________________________________________

A: Yes.
 > Q: Are you sure?
 >> A: Because it reverses the logical flow of conversation.
 >>> Q: Why is top posting annoying in email?

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Reply | Threaded
Open this post in threaded view
|

Re: Silently configure sshd fails via system account

Andrey Repin
In reply to this post by Lord Laraby
Greetings, Lord Laraby!

> Oh and I forgot the most intriguing gotcha. After creating the sshd
> user for me (I went to service manager and discovered this) the user
> assigned to the sshd server was actually cyg_server (not sshd)!!!!!
> After changing all of those things the service started.

That's because service is running as cyg_server, while sshd user is used to
invoke login shells of connecting users.
You just messed it all.


--
WBR,
Andrey Repin ([hidden email]) 18.03.2014, <03:42>

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Reply | Threaded
Open this post in threaded view
|

Re: Silently configure sshd fails via system account

Lord Laraby
On Mon, Mar 17, 2014 at 7:43 PM, Andrey Repin <> wrote:

> Greetings, Lord Laraby!
>
>> Oh and I forgot the most intriguing gotcha. After creating the sshd
>> user for me (I went to service manager and discovered this) the user
>> assigned to the sshd server was actually cyg_server (not sshd)!!!!!
>> After changing all of those things the service started.
>
> That's because service is running as cyg_server, while sshd user is used to
> invoke login shells of connecting users.
> You just messed it all.
>
>
> --
> WBR,
> Andrey Repin ([hidden email]) 18.03.2014, <03:42>
>
> Sorry for my terrible english...
>
I did not change anything. As I said originally, after running
ssh-host-config, no changes on my part, I had a slew of errors. See my
original message. I do not change things on a whim. Service failed to
start, means just what it says!
Here is my original convo with cygwin:
$ ssh-host-config
[ ssh host config asks questions about did I want to install as a
service and privilege separation, and user account to be used.]
Host configuration finished. Have fun!
$ cygrunsrv -S sshd
[cygrunsrv: Error starting a service: OpenService:  Win32 error 1068:]
[message to the effect that something went wrong trying to start
(guessing because the scroll is now long gone)]

I immediately was concerned, as this script normally works.
I checked Event Log, and found this:

"The description for Event ID 0 from source sshd cannot be found.
Either the component that raises this event is not installed on your
local computer or the installation is corrupted. You can install or
repair the component on the local computer."

After googling I discovered there might still be a log. I read it.That
log is here:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0660 for '/etc/ssh_host_rsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /etc/ssh_host_rsa_key
Could not load host key: /etc/ssh_host_rsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0660 for '/etc/ssh_host_dsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /etc/ssh_host_dsa_key
Could not load host key: /etc/ssh_host_dsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0660 for '/etc/ssh_host_ecdsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /etc/ssh_host_ecdsa_key
Could not load host key: /etc/ssh_host_ecdsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0660 for '/etc/ssh_host_ed25519_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /etc/ssh_host_ed25519_key
Could not load host key: /etc/ssh_host_ed25519_key
Disabling protocol version 2. Could not load host key
sshd: no hostkeys available -- exiting.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0660 for '/etc/ssh_host_rsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /etc/ssh_host_rsa_key
Could not load host key: /etc/ssh_host_rsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0660 for '/etc/ssh_host_dsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /etc/ssh_host_dsa_key
Could not load host key: /etc/ssh_host_dsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0660 for '/etc/ssh_host_ecdsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /etc/ssh_host_ecdsa_key
Could not load host key: /etc/ssh_host_ecdsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0660 for '/etc/ssh_host_ed25519_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /etc/ssh_host_ed25519_key
Could not load host key: /etc/ssh_host_ed25519_key
Disabling protocol version 2. Could not load host key
sshd: no hostkeys available -- exiting.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0660 for '/etc/ssh_host_rsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /etc/ssh_host_rsa_key
Could not load host key: /etc/ssh_host_rsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0660 for '/etc/ssh_host_dsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /etc/ssh_host_dsa_key
Could not load host key: /etc/ssh_host_dsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0660 for '/etc/ssh_host_ecdsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /etc/ssh_host_ecdsa_key
Could not load host key: /etc/ssh_host_ecdsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0660 for '/etc/ssh_host_ed25519_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /etc/ssh_host_ed25519_key
Could not load host key: /etc/ssh_host_ed25519_key
Disabling protocol version 2. Could not load host key
sshd: no hostkeys available -- exiting.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0660 for '/etc/ssh_host_rsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /etc/ssh_host_rsa_key
Could not load host key: /etc/ssh_host_rsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0660 for '/etc/ssh_host_dsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /etc/ssh_host_dsa_key
Could not load host key: /etc/ssh_host_dsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0660 for '/etc/ssh_host_ecdsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /etc/ssh_host_ecdsa_key
Could not load host key: /etc/ssh_host_ecdsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0660 for '/etc/ssh_host_ed25519_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /etc/ssh_host_ed25519_key
Could not load host key: /etc/ssh_host_ed25519_key
Disabling protocol version 2. Could not load host key
sshd: no hostkeys available -- exiting.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0660 for '/etc/ssh_host_rsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /etc/ssh_host_rsa_key
Could not load host key: /etc/ssh_host_rsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0660 for '/etc/ssh_host_dsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /etc/ssh_host_dsa_key
Could not load host key: /etc/ssh_host_dsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0660 for '/etc/ssh_host_ecdsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /etc/ssh_host_ecdsa_key
Could not load host key: /etc/ssh_host_ecdsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0660 for '/etc/ssh_host_ed25519_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /etc/ssh_host_ed25519_key
Could not load host key: /etc/ssh_host_ed25519_key
Disabling protocol version 2. Could not load host key
sshd: no hostkeys available -- exiting.
/var/empty must be owned by root and not group or world-writable.
/var/empty must be owned by root and not group or world-writable.
/var/empty must be owned by root and not group or world-writable.
/var/empty must be owned by root and not group or world-writable.
/var/empty must be owned by root and not group or world-writable.
/var/empty must be owned by root and not group or world-writable.
/var/empty must be owned by root and not group or world-writable.
/var/empty must be owned by root and not group or world-writable.
/var/empty must be owned by root and not group or world-writable.

Not exactly working as intended. Now, I don't know a lot about
internals of SSHD, but this seems like a cause of concern! I messed it
up? Show me where?

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Reply | Threaded
Open this post in threaded view
|

Re: Silently configure sshd fails via system account

Corinna Vinschen-2
On Mar 17 21:54, Lord Laraby wrote:

> On Mon, Mar 17, 2014 at 7:43 PM, Andrey Repin <> wrote:
> > Greetings, Lord Laraby!
> >
> >> Oh and I forgot the most intriguing gotcha. After creating the sshd
> >> user for me (I went to service manager and discovered this) the user
> >> assigned to the sshd server was actually cyg_server (not sshd)!!!!!
> >> After changing all of those things the service started.
> >
> > That's because service is running as cyg_server, while sshd user is used to
> > invoke login shells of connecting users.
> > You just messed it all.
> >
> >
> > --
> > WBR,
> > Andrey Repin ([hidden email]) 18.03.2014, <03:42>
> >
> > Sorry for my terrible english...
> >
> I did not change anything. As I said originally, after running
> ssh-host-config, no changes on my part, I had a slew of errors. See my
> original message. I do not change things on a whim. Service failed to
> start, means just what it says!
Nevertheless Andrey is right.  The sshd account is not meant to run the
service.  It's an unprivileged account used only in conjunction with
privilege separation.  The account you're supposed to run this under is
cyg_server, which is supposed to be a special account with more
privileges as a normal admin.  If you already have a cyg_server account,
it's utilized by default.  If the cyg_server account doesn't have the
required permissions, sshd is bound to fail.

The /etc/ssh* files as well as /var/empty are supposed to be owned by
the user account running sshd, which is cyg_server.  ssh-host-config
usually sets the permissions on these files accordingly.  The message
"/var/empty must be owned by root and not group or world-writable." is
generated by sshd and it's the right message for all other POSIX
systems, except Cygwin.  For Cygwin "root" here denotes the user running
sshd.  The reason the message doesn't reflect that is the unwillingness
of the upstream developers to change that just for the sake of Cygwin.
I'm asking for 10 years or so to convert certain checks for uid 0 into
platform-independent privilege tests.  I even sent patches to that
effect, but to no avail.

My suggestion: Remove all files related to ssh from /etc.  Remove
/var/empty.  Remove the ssh logs from /var/log.  Remove the sshd
and cyg_server accounts from your SAM.  Drop both from /etc/passwd.
Remove the sshd service.  Start over.

In another mail you wrote:

> cyg_server is already taken by a non-prvileged user
> connected to the cygserver service.

Why?  The cygserver service *can* run under a non-prvileged account,
but it's not supposed to.  It's not even supposed to run under the
cyg_server account, but under SYSTEM (or LocalSystem) because it
usually needs certain privileges.  The cygserver-config script does
exactly that.


Corinna

--
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

attachment0 (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Silently configure sshd fails via system account

PolarStorm
In reply to this post by Paul Griffith
Paul Griffith wrote
...
/usr/bin/ssh-host-config --yes --cygwin ntsec --user cyg_server --pwd blah
...
Just a few things...

1) Don't do that (manually).
First of all, "ntsec" is deprecated. Second, there are a lot of strange issues when
using "--yes", just answer the questions manually, especially since you don't need
all those keys just to have ssh work.

2) Make sure you run the ssh-host-config from an "administrator: cygwin shell.

3) Check your /etc/sshd-config for: "UsePrivilegeSeparation sandbox" which is
the new default. The ssh-host-config script has a bug on line 169 that attempts
to set this to "no", but where the regex fails. (I told people in THIS nabble post, but I
don't think it ever reached the main mailing list.)

4) The sshd user pas-wor-d is set to expire by default after 42 days, in Windows 8.1.
Fix it if you're using that.


Reply | Threaded
Open this post in threaded view
|

Re: Silently configure sshd fails via system account

Corinna Vinschen-2
On Mar 18 18:24, PolarStorm wrote:
> 3) Check your /etc/sshd-config for: "UsePrivilegeSeparation sandbox" which
> is
> the new default. The ssh-host-config script has a bug on line 169 that
> attempts
> to set this to "no", but where the regex fails. (I told people in  THIS
> <http://cygwin.1069669.n5.nabble.com/CSIH-SSH-setup-script-problems-on-W81-64-tp106953.html>  
> nabble post, but I
> don't think it ever reached the main mailing list.)

No, it didn't.  Thanks for the hint, I'll look into updating the
ssh-host-config script.


Corinna

--
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

attachment0 (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Silently configure sshd fails via system account

Paul Griffith
In reply to this post by PolarStorm
On 03/18/2014 09:24 PM, PolarStorm wrote:

> Paul Griffith wrote
>> ...
>> /usr/bin/ssh-host-config --yes --cygwin ntsec --user cyg_server --pwd blah
>> ...
>
> Just a few things...
>
> 1) Don't do that (manually).
> First of all, "ntsec" is deprecated. Second, there are a lot of strange
> issues when
> using "--yes", just answer the questions manually, especially since you
> don't need
> all those keys just to have ssh work.
>
> 2) Make sure you run the ssh-host-config from an "administrator: cygwin
> shell.
>
> 3) Check your /etc/sshd-config for: "UsePrivilegeSeparation sandbox" which
> is
> the new default. The ssh-host-config script has a bug on line 169 that
> attempts
> to set this to "no", but where the regex fails. (I told people in  THIS
> <http://cygwin.1069669.n5.nabble.com/CSIH-SSH-setup-script-problems-on-W81-64-tp106953.html>
> nabble post, but I
> don't think it ever reached the main mailing list.)
>
> 4) The sshd user pas-wor-d is set to expire by default after 42 days, in
> Windows 8.1.
> Fix it if you're using that.
>


Thanks Gene for the heads up, it will help me fine tune my setup!  I need to use the "--yes" option because I am building a automated installation for Windows 7.

Cheers,
Paul


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

12