strange cygwin sshd user generated (user name includes machine name)

strange cygwin sshd user generated (user name includes machine name)

[Peter Moore]

[-- Attachment #1: Type: text/plain, Size: 3092 bytes --]

Hi,

I have a powershell script for installing cygwin and setting up sshd which I am using as UserData when firing up a Windows 2012 R2 instance in AWS EC2.

The same command succeeds when run manually, but fails when called from automation. I’m trying to understand what it is that is different, so I can fix it in automation.

The command called is:

ssh-host-config -y -c 'ntsec mintty' -u 'cygwinsshd' -w 'qwe123QWE!@#'

When I run manually, logged in as Administrator, I get a log line like this (notice the correct “Cygwin name”):

*** Query: Create new privileged user account 'WIN-EFPDIM0SAUP\cygwinsshd' (Cygwin name: ‘cygwinsshd')? (yes/no) yes

When I run from automation, the log line looks like this (notice the incorrect “Cygwin name”):

*** Query: Create new privileged user account 'WIN-EFPDIM0SAUP\cygwinsshd' (Cygwin name: 'win-efpdim0saup+cygwinsshd')? (yes/no) yes

It seems the extended “Cygwin name” which I get in automation causes ssh-host-config to fail. I’m trying to establish what causes the cygwin name to get the prefix of the machine name, since this seems to cause the problem.

For reference, below I’ve put the logs in both the successful (manual) case, and the failing (automated) case.

If anyone can point me to the source code of ssh-host-config I’m also happy to dig - I couldn’t find it online. So if you’re not sure, but know where the source is, I’m happy to look.

Many thanks in advance!
Pete



SUCCESSFUL run (when executed manually):

*** Query: Create new privileged user account 'WIN-EFPDIM0SAUP\cygwinsshd' (Cygwin name: ‘cygwinsshd')? (yes/no) yes
*** Info: User ‘cygwinsshd' has been created with password 'qwe123QWE!@#'.
*** Info: If you change the password, please remember also to change the
*** Info: password for the installed services which use (or will soon use)
*** Info: the ‘cygwinsshd' account.

*** Info: The sshd service has been installed under the ‘cygwinsshd'
*** Info: account.  To start the service now, call `net start sshd' or
*** Info: `cygrunsrv -S sshd'.  Otherwise, it will start automatically
*** Info: after the next reboot.
*** Info: Host configuration finished. Have fun!


FAILED run (when called in automation):

*** Query: Create new privileged user account 'WIN-EFPDIM0SAUP\cygwinsshd' (Cygwin name: 'win-efpdim0saup+cygwinsshd')? (yes/no) yes
*** Info: User 'win-efpdim0saup+cygwinsshd' has been created with password 'qwe123QWE!@#'.
*** Info: If you change the password, please remember also to change the
*** Info: password for the installed services which use (or will soon use)
*** Info: the 'win-efpdim0saup+cygwinsshd' account.

*** Warning: Setting password expiry for user 'win-efpdim0saup+cygwinsshd' failed!
*** Warning: Please check that password never expires or set it to your needs.
No user or group 'win-efpdim0saup+cygwinsshd' known.
*** Warning: Assigning the appropriate privileges to user 'win-efpdim0saup+cygwinsshd' failed!
*** ERROR: There was a serious problem creating a privileged user.


[-- Attachment #2: Message signed with OpenPGP using GPGMail --]
[-- Type: application/pgp-signature, Size: 495 bytes --]

Re: strange cygwin sshd user generated (user name includes machine name)

[Peter Moore]

[-- Attachment #1: Type: text/plain, Size: 4029 bytes --]

After a little bit more digging, I think the cygwin name is coming from the output of getent here:

https://cygwin.com/git/gitweb.cgi?p=cygwin-csih.git;a=blob;f=cygwin-service-installation-helper.sh;h=10ab4fb6d47803c9ffabdde51923fc2c3f0496bb;hb=7ca191bebb52ae414bb2a2e37ef22d94f2658dc7#l2705

At this point, I’m not sure what causes getent to return different values when run in automation, and when run manually. I wonder if there is some kind of race condition, such that some subsystem is still updating at the point I install cygwin sshd.

For reference, this is the powershell script, see lines 77 onwards:
https://hg.mozilla.org/try/file/4905af7c52e5/testing/taskcluster/worker_types/win2012r2/aws_userdata

Thanks!
Pete



> On 03 Oct 2015, at 19:12, Peter Moore <pmoore@mozilla.com> wrote:
> 
> Hi,
> 
> I have a powershell script for installing cygwin and setting up sshd which I am using as UserData when firing up a Windows 2012 R2 instance in AWS EC2.
> 
> The same command succeeds when run manually, but fails when called from automation. I’m trying to understand what it is that is different, so I can fix it in automation.
> 
> The command called is:
> 
> ssh-host-config -y -c 'ntsec mintty' -u 'cygwinsshd' -w 'qwe123QWE!@#'
> 
> When I run manually, logged in as Administrator, I get a log line like this (notice the correct “Cygwin name”):
> 
> *** Query: Create new privileged user account 'WIN-EFPDIM0SAUP\cygwinsshd' (Cygwin name: ‘cygwinsshd')? (yes/no) yes
> 
> When I run from automation, the log line looks like this (notice the incorrect “Cygwin name”):
> 
> *** Query: Create new privileged user account 'WIN-EFPDIM0SAUP\cygwinsshd' (Cygwin name: 'win-efpdim0saup+cygwinsshd')? (yes/no) yes
> 
> It seems the extended “Cygwin name” which I get in automation causes ssh-host-config to fail. I’m trying to establish what causes the cygwin name to get the prefix of the machine name, since this seems to cause the problem.
> 
> For reference, below I’ve put the logs in both the successful (manual) case, and the failing (automated) case.
> 
> If anyone can point me to the source code of ssh-host-config I’m also happy to dig - I couldn’t find it online. So if you’re not sure, but know where the source is, I’m happy to look.
> 
> Many thanks in advance!
> Pete
> 
> 
> 
> SUCCESSFUL run (when executed manually):
> 
> *** Query: Create new privileged user account 'WIN-EFPDIM0SAUP\cygwinsshd' (Cygwin name: ‘cygwinsshd')? (yes/no) yes
> *** Info: User ‘cygwinsshd' has been created with password 'qwe123QWE!@#'.
> *** Info: If you change the password, please remember also to change the
> *** Info: password for the installed services which use (or will soon use)
> *** Info: the ‘cygwinsshd' account.
> 
> *** Info: The sshd service has been installed under the ‘cygwinsshd'
> *** Info: account.  To start the service now, call `net start sshd' or
> *** Info: `cygrunsrv -S sshd'.  Otherwise, it will start automatically
> *** Info: after the next reboot.
> *** Info: Host configuration finished. Have fun!
> 
> 
> FAILED run (when called in automation):
> 
> *** Query: Create new privileged user account 'WIN-EFPDIM0SAUP\cygwinsshd' (Cygwin name: 'win-efpdim0saup+cygwinsshd')? (yes/no) yes
> *** Info: User 'win-efpdim0saup+cygwinsshd' has been created with password 'qwe123QWE!@#'.
> *** Info: If you change the password, please remember also to change the
> *** Info: password for the installed services which use (or will soon use)
> *** Info: the 'win-efpdim0saup+cygwinsshd' account.
> 
> *** Warning: Setting password expiry for user 'win-efpdim0saup+cygwinsshd' failed!
> *** Warning: Please check that password never expires or set it to your needs.
> No user or group 'win-efpdim0saup+cygwinsshd' known.
> *** Warning: Assigning the appropriate privileges to user 'win-efpdim0saup+cygwinsshd' failed!
> *** ERROR: There was a serious problem creating a privileged user.
> 


[-- Attachment #2: Message signed with OpenPGP using GPGMail --]
[-- Type: application/pgp-signature, Size: 495 bytes --]

Re: strange cygwin sshd user generated (user name includes machine name)

[Linda Walsh]

Peter Moore wrote:
> Hi,
> 
> I have a powershell script for installing cygwin and setting up sshd which I am using as UserData when firing up a Windows 2012 R2 instance in AWS EC2.
> 
> The same command succeeds when run manually, but fails when called from automation. I’m trying to understand what it is that is different, so I can fix it in automation.
> 
----
I have both a domain account (Bliss) and a local account on my 
winclient(Athenae): Bliss\linda & linda

Using Domain account on client -> Domain server
> ssh Bliss 
server logs say:
... sshd[49322]: pam_winbind(sshd:account): user 'Bliss\linda' granted access
using
> ssh linda@Bliss, server logs say:
sshd[51179]: pam_winbind(sshd:account): user 'linda' granted access


Using local account on client ->Domain:
> ssh Bliss
server says:
Oct  9 20:51:21 Ishtar sshd[51787]: pam_winbind(sshd:account): user 'linda' granted access
if I want to login to the domain account, I need to specify it as the user:
> ssh 'Bliss\linda'@Bliss
server says:
sshd[51982]: pam_winbind(sshd:account): user 'Bliss\linda' granted access

so in the above case, I am seeing a similar "symptom" -- where it uses
'domain\user' when I'm logged in my domain account 
and just 'user' if I specify 'user@Domain'.

Both login to the *same* account on the PDC -- because on the PDC
local users are domain users -- because the SID of the local machine
is the same as the domain SID.

I.e. on the domain server, I can display the domain or the local machine SID:

> net getlocalsid   #note, it equates local machine name as a domain name in this case
SID for domain ISHTAR is: S-1-5-21-33333-77777-33333

When I ask for the domain sid: it displays both:

> net getdomainsid
SID for local machine ISHTAR is: S-1-5-21-33333-77777-33333
SID for domain BLISS is: S-1-5-21-33333-77777-33333

----
So first, obvious question is "are domains involved",
but 2nd question ... are the machine 'SIDS' the same in both cases?

I.e. when you run 'live' vs. run under automation, maybe the 'automation'
looks like a different machine name and uses a different 'sid'?  
That'd be my best guess...I only replied because I have seen the same
symptom depending on usage of the domain vs. local account.


Good luck!




--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: strange cygwin sshd user generated (user name includes machine name)

[Peter Moore]

[-- Attachment #1: Type: text/plain, Size: 5276 bytes --]

RESOLVED! =)

I’m happy to report Brian McGeorge found a solution, which was kindly passed on to me via Ben Stragnell. The answer is to set the environment variable LOGONSERVER to \\%COMPUTERNAME%.

This works by not executing the body of the if statement in: https://cygwin.com/git/gitweb.cgi?p=cygwin-csih.git;a=blob;f=cygwin-service-installation-helper.sh;h=10ab4fb6d47803c9ffabdde51923fc2c3f0496bb;hb=7ca191bebb52ae414bb2a2e37ef22d94f2658dc7#l2884

(lines 2884 to 2890)

My working user data now looks like this (note - you need to see both links for context - different parts of the same user data file).

    * https://github.com/taskcluster/generic-worker/blob/b0786db002921d3ec7d40053ac2e6799679ab290/worker_types/win2012r2/userdata#L4
    * https://github.com/taskcluster/generic-worker/blob/b0786db002921d3ec7d40053ac2e6799679ab290/worker_types/win2012r2/userdata#L81-L101

The addition to the powershell script was simply:

    $env:LOGONSERVER = "\\" + $env:COMPUTERNAME

I can confirm this fix works! Thanks again to Brian and Ben. =)

Pete



> On 03 Oct 2015, at 20:27, Peter Moore <pmoore@mozilla.com> wrote:
> 
> After a little bit more digging, I think the cygwin name is coming from the output of getent here:
> 
> https://cygwin.com/git/gitweb.cgi?p=cygwin-csih.git;a=blob;f=cygwin-service-installation-helper.sh;h=10ab4fb6d47803c9ffabdde51923fc2c3f0496bb;hb=7ca191bebb52ae414bb2a2e37ef22d94f2658dc7#l2705
> 
> At this point, I’m not sure what causes getent to return different values when run in automation, and when run manually. I wonder if there is some kind of race condition, such that some subsystem is still updating at the point I install cygwin sshd.
> 
> For reference, this is the powershell script, see lines 77 onwards:
> https://hg.mozilla.org/try/file/4905af7c52e5/testing/taskcluster/worker_types/win2012r2/aws_userdata
> 
> Thanks!
> Pete
> 
> 
> 
>> On 03 Oct 2015, at 19:12, Peter Moore <pmoore@mozilla.com> wrote:
>> 
>> Hi,
>> 
>> I have a powershell script for installing cygwin and setting up sshd which I am using as UserData when firing up a Windows 2012 R2 instance in AWS EC2.
>> 
>> The same command succeeds when run manually, but fails when called from automation. I’m trying to understand what it is that is different, so I can fix it in automation.
>> 
>> The command called is:
>> 
>> ssh-host-config -y -c 'ntsec mintty' -u 'cygwinsshd' -w 'qwe123QWE!@#'
>> 
>> When I run manually, logged in as Administrator, I get a log line like this (notice the correct “Cygwin name”):
>> 
>> *** Query: Create new privileged user account 'WIN-EFPDIM0SAUP\cygwinsshd' (Cygwin name: ‘cygwinsshd')? (yes/no) yes
>> 
>> When I run from automation, the log line looks like this (notice the incorrect “Cygwin name”):
>> 
>> *** Query: Create new privileged user account 'WIN-EFPDIM0SAUP\cygwinsshd' (Cygwin name: 'win-efpdim0saup+cygwinsshd')? (yes/no) yes
>> 
>> It seems the extended “Cygwin name” which I get in automation causes ssh-host-config to fail. I’m trying to establish what causes the cygwin name to get the prefix of the machine name, since this seems to cause the problem.
>> 
>> For reference, below I’ve put the logs in both the successful (manual) case, and the failing (automated) case.
>> 
>> If anyone can point me to the source code of ssh-host-config I’m also happy to dig - I couldn’t find it online. So if you’re not sure, but know where the source is, I’m happy to look.
>> 
>> Many thanks in advance!
>> Pete
>> 
>> 
>> 
>> SUCCESSFUL run (when executed manually):
>> 
>> *** Query: Create new privileged user account 'WIN-EFPDIM0SAUP\cygwinsshd' (Cygwin name: ‘cygwinsshd')? (yes/no) yes
>> *** Info: User ‘cygwinsshd' has been created with password 'qwe123QWE!@#'.
>> *** Info: If you change the password, please remember also to change the
>> *** Info: password for the installed services which use (or will soon use)
>> *** Info: the ‘cygwinsshd' account.
>> 
>> *** Info: The sshd service has been installed under the ‘cygwinsshd'
>> *** Info: account.  To start the service now, call `net start sshd' or
>> *** Info: `cygrunsrv -S sshd'.  Otherwise, it will start automatically
>> *** Info: after the next reboot.
>> *** Info: Host configuration finished. Have fun!
>> 
>> 
>> FAILED run (when called in automation):
>> 
>> *** Query: Create new privileged user account 'WIN-EFPDIM0SAUP\cygwinsshd' (Cygwin name: 'win-efpdim0saup+cygwinsshd')? (yes/no) yes
>> *** Info: User 'win-efpdim0saup+cygwinsshd' has been created with password 'qwe123QWE!@#'.
>> *** Info: If you change the password, please remember also to change the
>> *** Info: password for the installed services which use (or will soon use)
>> *** Info: the 'win-efpdim0saup+cygwinsshd' account.
>> 
>> *** Warning: Setting password expiry for user 'win-efpdim0saup+cygwinsshd' failed!
>> *** Warning: Please check that password never expires or set it to your needs.
>> No user or group 'win-efpdim0saup+cygwinsshd' known.
>> *** Warning: Assigning the appropriate privileges to user 'win-efpdim0saup+cygwinsshd' failed!
>> *** ERROR: There was a serious problem creating a privileged user.
>> 
> 


[-- Attachment #2: Message signed with OpenPGP using GPGMail --]
[-- Type: application/pgp-signature, Size: 495 bytes --]

Re: strange cygwin sshd user generated (user name includes machine name)

[Pete Moore]

RESOLVED! =)

I’m happy to report Brian McGeorge found a solution, which was kindly
passed on to me via Ben Stragnell. The answer is to set the
environment variable LOGONSERVER to \\%COMPUTERNAME%.

This works by not executing the body of the if statement in:
https://cygwin.com/git/gitweb.cgi?p=cygwin-csih.git;a=blob;f=cygwin-service-installation-helper.sh;h=10ab4fb6d47803c9ffabdde51923fc2c3f0496bb;hb=7ca191bebb52ae414bb2a2e37ef22d94f2658dc7#l2884

(lines 2884 to 2890)

My working user data now looks like this (note - you need to see both
links for context - different parts of the same user data file).

   * https://github.com/taskcluster/generic-worker/blob/b0786db002921d3ec7d40053ac2e6799679ab290/worker_types/win2012r2/userdata#L4
   * https://github.com/taskcluster/generic-worker/blob/b0786db002921d3ec7d40053ac2e6799679ab290/worker_types/win2012r2/userdata#L81-L101

The addition to the powershell script was simply:

   $env:LOGONSERVER = "\\" + $env:COMPUTERNAME

I can confirm this fix works! Thanks again to Brian and Ben. =)

Pete

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple